终极清洁/安全功能 [英] The ultimate clean/secure function

问题描述

我有很多来自$_GET和$_POST的用户输入...目前，我总是写mysql_real_escape_string($_GET['var']) ..

I have a lot of user inputs from $_GET and $_POST... At the moment I always write mysql_real_escape_string($_GET['var'])..

我想知道您是否可以创建一个可以立即保护，转义和清理$_GET/$_POST数组的函数，因此您不必在每次使用用户输入时都进行处理等等.

I would like to know whether you could make a function that secures, escapes and cleans the $_GET/$_POST arrays right away, so you won't have to deal with it each time you are working with user inputs and such.

我正在考虑一个功能，例如cleanMe($input)，在它内部，它应该执行mysql_real_escape_string，htmlspecialchars，strip_tags，stripslashes(我认为这是为了使它整洁而安全)，然后返回$input.

I was thinking of an function, e.g cleanMe($input), and inside it, it should do mysql_real_escape_string, htmlspecialchars, strip_tags, stripslashes (I think that would be all to make it clean & secure) and then return the $input.

那么这可能吗?制作一个适用于所有$_GET和$_POST的函数，因此您只需要这样做:

So is this possible? Making a function that works for all $_GET and $_POST, so you would do only this:

$_GET  = cleanMe($_GET);
$_POST = cleanMe($_POST);

因此，在以后的代码中，当您使用例如$_GET['blabla']或$_POST['haha']时，它们是否被固定，剥离等?

So in your code later, when you work with e.g $_GET['blabla'] or $_POST['haha'] , they are secured, stripped and so on?

试了一下自己

function cleanMe($input) {
   $input = mysql_real_escape_string($input);
   $input = htmlspecialchars($input, ENT_IGNORE, 'utf-8');
   $input = strip_tags($input);
   $input = stripslashes($input);
   return $input;
}

推荐答案

通用卫生功能的概念是一个破损的概念.

The idea of a generic sanitation function is a broken concept.

每种目的都有一种正确的卫生方法.在字符串上不加选择地运行它们通常会破坏它-为SQL查询转义一段HTML代码会破坏它在网页中的使用，反之亦然.应该使用数据在之前应用卫生设施:

There is one right sanitation method for every purpose. Running them all indiscriminately on a string will often break it - escaping a piece of HTML code for a SQL query will break it for use in a web page, and vice versa. Sanitation should be applied right before using the data:

• ，然后再运行数据库查询.正确的卫生方法取决于您使用的图书馆；它们列在如何防止PHP中进行SQL注入?

htmlspecialchars()用于安全HTML输出

htmlspecialchars() for safe HTML output

preg_quote()用于正则表达式

escapeshellarg()/escapeshellcmd()用于外部命令

等等等.

使用一刀切"的卫生功能就像在植物上使用五种剧毒杀虫剂，而该杀虫剂定义上只能含有一种虫子-只是发现您的植物受到第六种虫子的侵扰，没有一种杀虫剂可以起作用.

Using a "one size fits all" sanitation function is like using five kinds of highly toxic insecticide on a plant that can by definition only contain one kind of bug - only to find out that your plants are infested by a sixth kind, on which none of the insecticides work.

总是使用一种正确的方法，最好是在将数据传递给函数之前直接使用.除非需要，否则从不混合方法.

Always use that one right method, ideally straight before passing the data to the function. Never mix methods unless you need to.

这篇关于终极清洁/安全功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！