下拉选择字段是否容易受到任何类型的注入 [英] Are drop down select fields vulnerable to any sort of injection
问题描述
我在这里阅读了永不信任用户输入"的口头禅,这很有意义.我可以理解,用户输入的任何字段都是可疑的.但是,下拉选择字段呢?它们可以用于任何类型的注射吗?
I have read here the mantra "never trust user input" and it makes sense. I can understand that any field that is typed in by the user is suspect. However, what about drop down select fields? Can they be used for any type of injection?
我已经清理了所有允许用户键入的字段,还使用了mysqli准备好的语句来插入数据库.
I have sanitized all the fields that allow a user to type in, and also used mysqli prepared statements for insertion into the database.
但是,我的表单中有三个下拉菜单,想知道我是否需要对它们做任何事情?
However, there are three drop-downs in my form and was wondering if I need to do anything about them?
推荐答案
网站中的每个元素都可以被恶意用户更改(隐藏的字段,div,样式,ajax调用,等等).
Every single element in a website can be altered by a malicious user (hidden fields, divs, styles, ajax calls, you name it...).
也就是说,如果您已经在使用"Prepared Statements",则不必担心SQL Injection,因为mysql已经知道要执行哪些语句.
That said, if you're already using Prepared Statements, you shouldn't worry too much about SQL Injection because mysql already knows what statements are going to be executed.
相反,您应该清理网站中呈现的所有输出.
Instead you should sanitize all the output that is being rendered in a website.
让我们说,您是在问我以这种方式居住在哪个国家/地区:
Let's say that in your form, you're asking what country I live in this way:
<select name="country">
<option value="Mexico">Mexico</option>
<option value="USA">USA</option>
<option value="Canada">Canada</option>
</select>
但是我是恶意用户,我使用Chrome的代码检查器更改了HTML,然后选择了墨西哥,但将其值更改为
but I'm a malicious user, and I use Chrome's code inspector to alter your HTML, and I select Mexico, but change its value to
<script type="text/javascript">alert("Hello World");</script>
,如果您以这种方式在另一页中输出该值:
and if you output that value in another page this way:
Your country is: <?=$country?>
然后您将要编写:
Your country is:
<script type="text/javascript">alert("Hello World")</script>
,将弹出一个警告框,显示文本"Hello World"
and an alert box will pop up with the text "Hello World"
我可能会对您造成什么伤害……
What harm can I make with that you may wonder...
好吧,我可以做任何我想做的事情,可以窃取Cookie或该值是公开的(例如,您在首页上显示该值),然后可以将您的用户重定向到另一个网站,更改您网站的内容...我想要的任何东西.
well I can do anything I want with that, I can steal cookies or if that value is public (say that you're displaying that value in your frontpage), then I could redirect your users to another website, change your website's content... whatever I want.
要清理用户的输出,可以使用
To sanitize your users' output you can use
htmlentities
例如,这会将< >符号转换为其各自的代码:<和>
That will convert, for example, the < > symbols to its respective code: < and >
这篇关于下拉选择字段是否容易受到任何类型的注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
