通过PHP在GET中清除用户数据 [英] Sanitizing user's data in GET by PHP
问题描述
我不确定是否应该清理所有内容,因为最后一次将数据放入Postgres时,通过使用
pg_prepare 可以很容易地解决问题。
您如何通过PHP来清理$ _GET -variables中的数据?
您不要清理$ _GET中的数据。这是PHP脚本中的一种常见方法,但它完全错误*。
所有变量都应以纯文本形式保留,直到将它们嵌入另一种类型的串。没有任何形式的转义或消毒可以涵盖所有可能嵌入您的值的字符串。
因此,如果您要嵌入字符串到一个SQL查询中,您需要在出口时将其转义:
$ sql =SELECT * FROM accounts WHERE username = .pg_escape_string($ _ GET [ '用户名'])。 ';
如果您将字符串分散到HTML中,则需要将其转义: p>
无法登录为<?php echo(htmlspecialchars($ _ GET ['username'],ENT_QUOTES))?> ;.
如果您在开始时在$ _GET数组上执行了这两个转义步骤,谁不知道他们在做什么:
$ _ GET ['username'] = htmlspecialchars(pg_escape_string($ _ GET [ '用户名']));
然后当您的用户名中有'&'时,它会神秘地变成'& amp;'放在你的数据库中,如果你的用户名中有一个撇号,它会在页面上变成两个撇号。然后当你有一个带有这些字符的表单时,很容易在编辑时产生双重转义的东西,这就是为什么很多不好的PHP CMS最终会出现诸如O \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\ \\'Reilly \\。
当然,每次发送一个变量时记住pg_escape_string或mysql_real_escape_string和htmlspecialchars有点乏味,这就是为什么每个人都希望在脚本开始的时候(错误地)在一个地方做到这一点。对于HTML输出,至少可以通过定义一个名称为echo(htmlspecialchars(...))的函数来保存某些输入。
对于SQL,您使用参数化查询更好。对于Postgres,有 pg_query_params 。或者事实上,如你所提及的准备好的陈述(尽管我个人觉得它们不太适合)。无论哪种方式,您都可以忘记清理或转义SQL,但如果您嵌入其他类型的字符串(包括HTML),则仍然必须转义。
strip_tags()不是处理HTML显示输入的好方法。在过去,它存在安全问题,因为浏览器解析器在解释标签可能比您想象的要复杂得多。 htmlspecialchars()几乎总是正确的用法,所以如果有人输入一个小于号的符号,他们实际上会得到一个小于号的字面值,并且不会发现他们的文本的一半神秘消失。
* b $ b
(*:作为解决注入问题的一般方法,无论如何,自然而然地,在特定领域有值得做的领域特定检查,并且有一些有用的清理任务可以完成,例如移除所有控制字符来自提交的值,但这不是大多数PHP编码人员通过清理的意思。)
How do you sanitize data in $_GET -variables by PHP?
I sanitize only one variable in GET by strip_tags.
I am not sure whether I should sanitize everything or not, because last time in putting data to Postgres, the problem was most easily solved by the use of pg_prepare.
How do you sanitize data in $_GET -variables by PHP?
You do not sanitize data in $_GET. This is a common approach in PHP scripts, but it's completely wrong*.
All your variables should stay in plain text form until the point when you embed them in another type of string. There is no one form of escaping or ‘sanitization’ that can cover all possible types of string you might be embedding your values into.
So if you're embedding a string into an SQL query, you need to escape it on the way out:
$sql= "SELECT * FROM accounts WHERE username='".pg_escape_string($_GET['username'])."'";
And if you're spitting the string out into HTML, you need to escape it then:
Cannot log in as <?php echo(htmlspecialchars($_GET['username'], ENT_QUOTES)) ?>.
If you did both of these escaping steps on the $_GET array at the start, as recommended by people who don't know what they're doing:
$_GET['username']= htmlspecialchars(pg_escape_string($_GET['username']));
Then when you had a ‘&’ in your username, it would mysteriously turn into ‘&’ in your database, and if you had an apostrophe in your username, it would turn into two apostrophes on the page. Then when you have a form with these characters in it is easy to end up double-escaping things when they're edited, which is why so many bad PHP CMSs end up with broken article titles like "New books from O\\\\\\\\\\\\\\\\\\\'Reilly".
Naturally, remembering to pg_escape_string or mysql_real_escape_string, and htmlspecialchars every time you send a variable out is a bit tedious, which is why everyone wants to do it (incorrectly) in one place at the start of the script. For HTML output, you can at least save some typing by defining a function with a short name that does echo(htmlspecialchars(...)).
For SQL, you're better off using parameterised queries. For Postgres there's pg_query_params. Or indeed, prepared statements as you mentioned (though I personally find them less managable). Either way, you can then forget about ‘sanitizing’ or escaping for SQL, but you must still escape if you embed in other types of string including HTML.
strip_tags() is not a good way of treating input for HTML display. In the past it has had security problems, as browser parsers are actually much more complicated in their interpretation of what a tag can be than you might think. htmlspecialchars() is almost always the right thing to use instead, so that if someone types a less-than sign they'll actually get a literal less-than sign and not find half their text mysteriously vanishing.
(*: as a general approach to solving injection problems, anyway. Naturally there are domain-specific checks it is worth doing on particular fields, and there are useful cleanup tasks you can do like removing all control characters from submitted values. But this is not what most PHP coders mean by sanitization.)
这篇关于通过PHP在GET中清除用户数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
