PHP& mySQL:何时确切使用htmlentities? [英] PHP & mySQL: When exactly to use htmlentities?
问题描述
平台: PHP& mySQL
PLATFORM: PHP & mySQL
出于实验目的,我自己在自己的网站上尝试了很少的XSS注入.考虑这种情况,我可以输入表单textarea.由于这是一个文本区域,因此我可以输入文本和各种(英文)字符.这是我的观察结果:
For my experimentation purposes, I have tried out few of the XSS injections myself on my own website. Consider this situation where I have my form textarea input. As this is a textarea, I am able to enter text and all sorts of (English) characters. Here are my observations:
A).如果仅在将数据插入数据库之前仅应用strip_tags和mysql_real_escape_string并且不对输入使用htmlentities,则查询中断,并且由于显示以下错误,我被打了一个错误,该错误显示了我的表结构:异常终止.
A). If I apply only strip_tags and mysql_real_escape_string and do not use htmlentities on my input just before inserting the data into the database, the query is breaking and I am hit with an error that shows my table structure, due to the abnormal termination.
B).如果在将数据插入数据库之前就在输入中应用strip_tags,mysql_real_escape_string和htmlentities,查询不会中断,并且我能够成功地将文本区域中的数据插入到我的数据库中.
B). If I am applying strip_tags, mysql_real_escape_string and htmlentities on my input just before inserting the data into the database, the query is NOT breaking and I am able to successfully able to insert data from the textarea into my database.
因此,我确实知道必须不惜一切代价使用htmentity,但不确定何时确切使用它.考虑到以上几点,我想知道:
So I do understand that htmentities must be used at all costs but unsure when exactly it should be used. With the above in mind, I would like to know:
-
何时应确切使用htmlentities?
When exactly htmlentities should be used? Should it be used just before inserting the data into DB or somehow get the data into DB and then apply htmlentities when I am trying to show the data from the DB?
如果我遵循上述B点中所述的方法(我认为这是我的情况下最明显,最有效的解决方案),那么当我尝试从D B?如果是这样,为什么?如果没有,为什么不呢?我问这个问题是因为,在我浏览以下文章后,这确实让我感到困惑: http ://shiflett.org/blog/2005/dec/google-xss-example
If I follow the method described in point B) above (which I believe is the most obvious and efficient solution in my case), do I still need to apply htmlentities when I am trying to show the data from the DB? If so, why? If not, why not? I ask this because it's really confusing for me after I have gone through the post at: http://shiflett.org/blog/2005/dec/google-xss-example
然后再有一个PHP函数,称为: html_entity_decode .当在输入上应用了htmlentities时,是否可以使用它来显示来自DB的数据(按照B点所示的步骤进行操作)?我应该选择哪一个:html_entity_decode和htmlentities以及何时使用?
Then there is this one more PHP function called: html_entity_decode. Can I use that to show my data from DB (after following my procedure as indicated in point B) as htmlentities was applied on my input? Which one should I prefer from: html_entity_decode and htmlentities and when?
预览页:
我认为在此处添加一些特定情况的更多详细信息可能会有所帮助.考虑有一个预览"页面.现在,当我从文本区域提交输入时,预览"页面将接收输入并将其显示为html,同时,隐藏的输入将收集此输入.当单击预览"按钮上的提交"按钮时,隐藏输入中的数据将POST到新页面,并且该页面将隐藏输入中包含的数据插入到数据库中.如果我在最初提交表单时不应用htmlentities(但仅应用strip_tags和mysql_real_escape_string),并且在文本区域中存在恶意输入,则隐藏的输入将被破坏,并且隐藏的输入的最后几个字符在上会明显显示为" />页面,这是不可取的.因此,请记住这一点,我需要做一些事情以在预览"页面上适当地保留隐藏输入的完整性,并在隐藏输入中收集数据,以免破坏数据.我该怎么办?抱歉,延迟发布此信息.
I thought it might help to add some more specific details of a specific situation here. Consider that there is a 'Preview' page. Now when I submit the input from a textarea, the Preview page receives the input and shows it html and at the same time, a hidden input collects this input. When the submit button on the Preview button is hit, then the data from the hidden input is POST'ed to a new page and that page inserts the data contained in the hidden input, into the DB. If I do not apply htmlentities when the form is initially submitted (but apply only strip_tags and mysql_real_escape_string) and there's a malicious input in the textarea, the hidden input is broken and the last few characters of the hidden input visibly seen as " /> on the page, which is undesirable. So keeping this in mind, I need to do something to preserve the integrity of the hidden input properly on the Preview page and yet collect the data in the hidden input so that it does not break it. How do I go about this? Apologize for the delay in posting this info.
谢谢.
推荐答案
这是一般的经验法则.
在最后可能的时刻转义变量.
您希望变量是数据的干净表示.也就是说,如果您要存储名为"O'Brien"的人的姓氏,那么您肯定不想要这些:
You want your variables to be clean representations of the data. That is, if you are trying to store the last name of someone named "O'Brien", then you definitely don't want these:
O'Brien
O\'Brien
..因为,好吧,这不是他的名字:里面没有&"号或"/"号.当您使用该变量并将其输出到特定的上下文中(例如:插入SQL查询或打印到HTML页面)时,那个就是您对其进行修改的时候.
.. because, well, that's not his name: there's no ampersands or slashes in it. When you take that variable and output it in a particular context (eg: insert into an SQL query, or print to a HTML page), that is when you modify it.
$name = "O'Brien";
$sql = "SELECT * FROM people "
. "WHERE lastname = '" . mysql_real_escape_string($name) . "'";
$html = "<div>Last Name: " . htmlentities($name, ENT_QUOTES) . "</div>";
您永远不想在数据库中存储htmlentities编码的字符串.如果要生成CSV或PDF或不是 HTML的任何内容,会发生什么?
You never want to have htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, or anything which isn't HTML?
保持数据整洁,仅在当前特定情况下转义.
Keep the data clean, and only escape for the specific context of the moment.
这篇关于PHP& mySQL:何时确切使用htmlentities?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
