添加“addslahses”已经存在的项目 - 最好的方法? [英] adding "addslahses" to already live project - best approach?
问题描述
采用别人的PHP应对并用
语言完成速成课程后,我遇到了当前代码的(可能是常见的)问题。
在注册表上,每当用户名中有撇号时,它就会导致问题,因为它们没有被正确添加到数据库中,原因是
立即变得明显。
在实现我自己的解决方法之前,我注意到了这些功能。
addslashes,stripslashes和指令magic_quotes_gpc。这些似乎是好的想法,我现在将使用它们。
在所有代码中引入这种做法的最佳方法是什么? >
这个项目。这是我想逐步进行的,因此当我在必要时进行
更改时,我也会添加这些更改,我不想
必须经历整个代码现在改变了一切。
我可以做以下的事情
在我创建的每个新脚本上执行以下操作。
检查魔术引号指令是否已启用,如果没有,但如果没有,则手动运行addslashes函数以及检索数据的位置
来自数据库的
进入并添加一条striplashes。
实际上我只能在写入的代码中进行更改并且
检索信息从数据库而不是每个收集
表单输入的脚本。因此,这将减少对代码进行多次更改的需要。
这就是我需要做的全部。是否有任何影响,我不知道
通过特定的方式实现这个?
原谅这个问题的模糊性,我仍然感到惊讶找到
这在开始时没有完成。
亲切的问候
Dave
Having adopted someone else''s PHP cope and completing a crash course in the
language I came across a (probably common) problem with the current code.
On a registration form, whenever users names have an apostrophe in them it
causes problems as they do not get added to the DB correctly for reasons
that immediately become apparent.
Before implementing my own workaround I noticed the functions.
addslashes, stripslashes and directive magic_quotes_gpc. These seem like
great ideas and I will now use them.
What is the best way of introducing this practise across all of the code for
this project. It is something I want to progressively, therefore as I make
changes when necessary, I will also add these changes, I do not want to
have to go through the entire code now changing everything.
Can I just do something like the following
On each new script I create do the following.
Check if the magic quotes directive is enabled, and if so do nothing, but if
not, manually run the addslashes function and wherever data is retrieved
from the database go in and add a stripslashes.
Actually I could just make the changes in the code that writes to and
retrieves info from the database rather then on each script that collects
form input. This would therefore lessen the need to make multiple changes to
the code.
Is that all I will need to do. Is there any implications that I am not aware
of by implementing this in a particular way?
Forgive the slight vagueness in this question, I am still surprised to find
this was not done in the start.
Kind regards
Dave
推荐答案
Dave Smithz写道:
Dave Smithz wrote:
在我创建的每个新脚本上执行以下操作。
检查是否有魔法引号指令已启用,如果没有,但如果没有,则手动运行addslashes函数以及从数据库中检索数据的任何地方进入并添加stripslashes。
您永远不必在_ $ $
数据库的_out_数据上运行stripslashes。如果你这样做,你的数据是否已损坏,或者你有''magic_quotes_runtime''选项。 magic_quotes_runtime会破坏
数据无法预测,你可能永远不会使用它。
根据我的经验,最可靠的做法是始终逃避数据
*确切地说它是一个SQL命令*,而不是更早。并非所有形式都将
输入转储到原始SQL命令中,而且并非所有发往SQL的数据都直接来自表单输入,因此magic_quotes_gpc非常好
不可靠。
特别要注意的是,如果您处理来自表格
之后的文本并将其放入SQL命令之前,预先添加的斜杠可能会被损坏或删除。如果你依赖原始的斜杠来存在,那么你可能会受到SQL注入攻击的攻击。<br />
我最终做的是运行stripslashes( )当
magic_quotes_gpc打开时,所有表单输入,以便数据可以在我的
程序中以适当的状态传递,然后确保所有生成的SQL
语句生成器转义它们的参数。
实际上我只能在写入的代码中进行更改并从数据库中检索信息,而不是在每个收集的脚本上检索信息
表格输入。因此,这将减少对代码进行多次更改的需要。
在将数据作为文字值插入原始SQL
语句之前,应始终转义数据。 addslashes()可能正确也可能不正确,
,具体取决于您的数据库;使用适用于你的
数据库的函数(例如mysql_real_escape_string)。还要考虑PEAR :: DB'
辅助函数,它们通常可以为您执行此步骤。
这就是我需要做的所有事情。通过以特定的方式实现这一点,是否有任何我不知道的含义?
On each new script I create do the following.
Check if the magic quotes directive is enabled, and if so do nothing, but if
not, manually run the addslashes function and wherever data is retrieved
from the database go in and add a stripslashes.
You should never have to run stripslashes on data taken _out_ of the
database. If you do, either your data was corrupt going in or you have
the ''magic_quotes_runtime'' option on. magic_quotes_runtime will corrupt
data unpredictably and you should probably never use it.
In my experience the most reliable thing to do is to always escape data
*exactly when putting it an SQL command*, not earlier. Not all form
input is dumped into raw SQL commands, and not all data destined for SQL
commands comes directly from form input, so magic_quotes_gpc is very
unreliable.
In particular, note that if you process text after it comes from a form
and before putting it into an SQL command, the pre-added slashes may be
corrupted or removed. If you relied on the original slashes to be
present, you may become vulnerable to an SQL injection attack.
What I end up doing is running stripslashes() on all the form input when
magic_quotes_gpc is on, so that data can be passed around within my
program in its proper state, then ensuring that all generated SQL
statement generators escape their arguments.
Actually I could just make the changes in the code that writes to and
retrieves info from the database rather then on each script that collects
form input. This would therefore lessen the need to make multiple changes to
the code.
You should always escape data before inserting it into a raw SQL
statement as a literal value. addslashes() may or may not be correct,
depending on your database; use the appropriate function for your
database (such as mysql_real_escape_string). Consider also PEAR::DB''s
helper functions which can often perform this step for you.
Is that all I will need to do. Is there any implications that I am not aware
of by implementing this in a particular way?
有些事你不想做:
*逃避不足 - > SQL注入
*转义后处理字符串 - > SQL注入
*双重转义 - >数据损坏
*在非SQL上下文中使用SQL转义字符串 - >数据损坏
- brion vibber(brion @ pobox.com)
Some things you don''t want to do:
* insufficient escaping -> SQL injection
* processing strings after escaping -> SQL injection
* double escaping -> data corruption
* using SQL-escaped strings in a non-SQL context -> data corruption
-- brion vibber (brion @ pobox.com)
"戴夫史密斯 < SPAM FREE WORLD>在消息中写道
news:42 ******** @ news1.homechoice.co.uk ...
"Dave Smithz" <SPAM FREE WORLD> wrote in message
news:42********@news1.homechoice.co.uk...
已经采用别人的PHP应对并且用
语言完成了一个速成课程我遇到了当前代码的一个(可能是常见的)问题。
在注册表上,每当用户名都有撇号时它们会导致问题,因为它们没有被正确地添加到数据库中,原因很明显。
在实现我自己的解决方法之前,我注意到了这些功能。
addslashes,stripslashes和指令magic_quotes_gpc。这些似乎是很好的想法,我现在将使用它们。
在这个项目的所有代码中引入这种做法的最佳方式是什么?这是我想要逐步进行的,因此当我在必要时进行更改时,我也会添加这些更改,我不想现在必须通过整个代码更改所有内容。
我可以执行以下操作吗
在我创建的每个新脚本上执行以下操作。
检查魔术引号指令是否已启用,以及是否所以什么都不做,但是如果没有,那么手动运行addslashes函数以及从数据库中检索数据的地方进入并添加一条striplashes。
其实我可以只在代码中进行更改,写入并从数据库中检索信息,而不是在每个收集
表单输入的脚本上。因此,这将减少对代码进行多次更改的需要。
这就是我需要做的全部。通过以特定的方式实现这一点,是否有任何影响我不知道?
原谅这个问题的模糊性,我仍然感到惊讶
发现
这一切都没有在开始时完成。
亲切的问候
戴夫
Having adopted someone else''s PHP cope and completing a crash course in
the
language I came across a (probably common) problem with the current code.
On a registration form, whenever users names have an apostrophe in them it
causes problems as they do not get added to the DB correctly for reasons
that immediately become apparent.
Before implementing my own workaround I noticed the functions.
addslashes, stripslashes and directive magic_quotes_gpc. These seem like
great ideas and I will now use them.
What is the best way of introducing this practise across all of the code
for
this project. It is something I want to progressively, therefore as I make
changes when necessary, I will also add these changes, I do not want to
have to go through the entire code now changing everything.
Can I just do something like the following
On each new script I create do the following.
Check if the magic quotes directive is enabled, and if so do nothing, but
if
not, manually run the addslashes function and wherever data is retrieved
from the database go in and add a stripslashes.
Actually I could just make the changes in the code that writes to and
retrieves info from the database rather then on each script that collects
form input. This would therefore lessen the need to make multiple changes
to
the code.
Is that all I will need to do. Is there any implications that I am not
aware
of by implementing this in a particular way?
Forgive the slight vagueness in this question, I am still surprised to
find
this was not done in the start.
Kind regards
Dave
我同意Brian但我使用函数htmlspecialchars();
这改变了引号''和''等特殊字符。等等...到HTML
实体。
例如。
''&''(&符号)变成''&当没有设置ENT_NOQUOTES时,';'
''"''(双引号)变成''& quot;''。
''''' '(单引号)仅在设置了ENT_QUOTES时变为'''''。
http ://au2.php.net/htmlspecialchars
布伦特帕尔默。
I agree with Brian but I use the function htmlspecialchars();
This changes the special chars like quotes '' and " and so on... to HTML
entities .
Eg.
''&'' (ampersand) becomes ''&''
''"'' (double quote) becomes ''"'' when ENT_NOQUOTES is not set.
'''''' (single quote) becomes ''''' only when ENT_QUOTES is set.
http://au2.php.net/htmlspecialchars
Brent Palmer.
我注意到了Message-ID :< 42 ******** @ news1.homechoice.co.uk>来自
" Dave Smithz" < SPAM FREE WORLD>包含以下内容:
<关于需要采取哪些措施来消毒数据输入>
常见问题入门人员?
-
Geoff Berrow(把猫放到电子邮件中)
它只是Usenet,没有人死。
我的意见,而不是我的委员会。
简单的RFD http://www.ckdog.co.uk/rfdmaker/
I noticed that Message-ID: <42********@news1.homechoice.co.uk> from
"Dave Smithz" <SPAM FREE WORLD> contained the following:
<on measures that need to be taken to sanitise data input>
FAQ entry folks?
--
Geoff Berrow (put thecat out to email)
It''s only Usenet, no one dies.
My opinions, not the committee''s, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
这篇关于添加“addslahses”已经存在的项目 - 最好的方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
