这两个功能是否对杀菌消毒过度? [英] Are these two functions overkill for sanitization?
问题描述
function sanitizeString($var)
{
$var = stripslashes($var);
$var = htmlentities($var);
$var = strip_tags($var);
return $var;
}
function sanitizeMySQL($var)
{
$var = mysql_real_escape_string($var);
$var = sanitizeString($var);
return $var;
}
我从书中获得了这两个函数,作者说,使用这两个函数,我可以更加安全地抵御XSS(第一个函数)和sql注入(第二个函子). 所有这些都是必要的吗?
I got these two functions from a book and the author says that by using these two, I can be extra safe against XSS(the first function) and sql injections(2nd func). Are all those necessary?
为了进行清理,我还使用准备好的语句来防止sql注入.
Also for sanitizing, I use prepared statements to prevent sql injections.
我会这样使用它:
$variable = sanitizeString($_POST['user_input']);
$variable = sanitizeMySQL($_POST['user_input']);
编辑:摆脱第一个功能的strip_tags,因为它没有任何作用. 使用这两个功能是否足以防止大多数攻击并可以在公共站点上使用?
Get rid of strip_tags for the 1st function because it doesn't do anything. Would using these two functions be enough to prevent the majority of attacks and be okay for a public site?
推荐答案
是的,但是这种转义级别可能并不适合所有情况.如果要将HTML存储在数据库中怎么办?
It's true, but this level of escaping may not be appropriate in all cases. What if you want to store HTML in a database?
最佳实践表明,在显示它们时,您应该转义它们,而不是逃避接收值.这样一来,您就可以考虑同时显示数据库中的HTML和数据库中的非HTML,无论如何,这实际上是逻辑上属于这种代码的地方.
Best practice dictates that, rather than escaping on receiving values, you should escape them when you display them. This allows you to account for displaying both HTML from the database and non-HTML from the database, and it's really where this sort of code logically belongs, anyway.
清理传出HTML的另一个优点是可以发现一个新的攻击媒介,在这种情况下,清理传入HTML不会对数据库中已有的值做任何事情,而传出清理将追溯应用而无需执行任何操作特殊
Another advantage of sanitizing outgoing HTML is that a new attack vector may be discovered, in which case sanitizing incoming HTML won't do anything for values that are already in the database, while outgoing sanitization will apply retroactively without having to do anything special
此外,请注意,如果所有<和>都变为<和>,则第一个函数中的strip_tags可能无效.
Also, note that strip_tags in your first function will likely have no effect, if all of the < and > have become < and >.
这篇关于这两个功能是否对杀菌消毒过度?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
