防止PHP Web应用程序中的JavaScript注入 [英] Preventing JavaScript Injections in a PHP Web Application

问题描述

在PHP Web应用程序中阻止或阻止JavaScript注入所需的措施是什么，以便不提供敏感信息（PHP，HTML / XHTML和JavaScript中的最佳实践）？

What are the measures needed to prevent or to stop JavaScript injections from happening in a PHP Web application so that sensitive information is not given out (best-practices in PHP, HTML/XHTML and JavaScript)?

推荐答案

好的第一步是应用问题Gert G链接。这详细介绍了可以在不同情况下用于清理输入的各种函数，包括 mysql_real_escape_string ， htmlentities（）， htmlspecialchars（）， strip_tags（）和 addslashes（）

A good first step is applying the methods listed in the question Gert G linked. This covers in detail the variety of functions that can be used in different situations to cleanse input, including mysql_real_escape_string, htmlentities(), htmlspecialchars(), strip_tags() and addslashes()

更好的方法是尽可能避免将用户输入直接插入数据库。使用白名单输入验证：在任何只有有限范围的情况下选项，从插入的硬编码值中选择，而不是从任何面向客户端的表单中获取输入。基本上，这意味着只有你接受的某些值，而不是试图消除/反对邪恶/错误形成/恶意输入。

A better way, whenever possible, is to avoid inserting user input directly into your database. Employ whitelist input validation: in any situation where you only have a limited range of options, choose from hard-coded values for for insertion, rather than taking the input from any client-side facing form. Basically, this means having only certain values that you accept, instead of trying to eliminate/counter evil/mal-formed/malicious input.

例如：
如果您有一个包含项目下拉列表的表单，请不要使用此下拉列表中的输入进行插入。请记住，恶意客户端可以编辑随表单提交发送的信息，即使您认为它们只有有限的选项。相反，让下拉引用服务器端代码中的数组中的索引。然后使用该数组选择要插入的内容。这样，即使攻击者试图向您发送恶意代码，它也不会真正命中您的数据库。

For example: If you have a form with a drop down for items, do not take use the input from this dropdown for insertion. Remember that a malicious client can edit the information sent with the form's submission, even if you think they only have limited options. Instead, have the drop down refer to an index in an array in your server-side code. Then use that array to choose what to insert. This way, even if an attacker tries to send you malicious code, it never actually hits your database.

显然，这不适用于像论坛这样的自由格式应用程序或博客。对于那些人，你必须依靠第一步技术。尽管如此，还是有很多选项可以通过白名单输入验证来改进。

Obviously, this doesn't work for free-form applications like forums or blogs. For those, you have to fall back on the "first step" techniques. Still, there are a wide range of options that can be improved via whitelist input validation.

您还可以使用参数化查询（也称为带有绑定变量的预处理语句），尽可能为您的sql交互。这将告诉您的数据库服务器所有输入只是一个值，因此它可以减轻注入攻击带来的许多潜在问题。在许多情况下，这甚至可以涵盖自由格式的应用程序。

You can also use parameterized queries (aka prepared statements with bind variables) for your sql interactions wherever possible. This will tell your database server that all input is simply a value, so it mitigates a lot of the potential problems from injection attacks. In many situations, this can even cover free-form applications.

这篇关于防止PHP Web应用程序中的JavaScript注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！