htmlentities()和mysql_real_escape_string()是否足以清理PHP中的用户输入? [英] Is htmlentities() and mysql_real_escape_string() enough for cleaning user input in PHP?

问题描述

我对PHP还是很陌生，基本上我正在尝试为我的网站创建一个评论系统.我具有以下功能:

I'm very new to PHP, basically I'm trying to create a commenting system for my site. I have the following function:

$ input = $ _POST ['comment'];

$input = $_POST['comment'];

function cleanUserInput($ input){ $ input = mysql_real_escape_string($ input); $ input = htmlentities($ input); 返回$ input; }

function cleanUserInput($input) { $input = mysql_real_escape_string($input); $input = htmlentities($input); return $input; }

问题是，仅mysql_real_escape_string是否足以防止sql注入? htmlentities()是否足以防止用户输入的脚本，html和样式具有实际效果，并且仅显示为文本?

So the question is, is mysql_real_escape_string alone sufficient to prevent sql injection? and is htmlentities() sufficient to prevent scripts, html and styles entered by the user from having actual effect and just be shown as text?

还是我需要在函数中添加更多内容以使输入真正无害?

Or do I need to add more to my function to make the input really harmless?

推荐答案

mysql_real_escape_string是不够的.您还必须考虑如何构造查询.考虑以下简单的登录脚本:

mysql_real_escape_string is NOT enough. You must also take into account how you structure your query. Consider the following simple login script:

$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);
$sql = "SELECT * FROM users WHERE username = $username AND password = $password";

在$username和$password周围没有引号，仍然可以注入. (考虑用户名=测试； DROP TABLE用户；-.再见数据！:(

without quotes around $username and $password, injection is STILL possible. (Consider a username = test; DROP TABLE users; --. Bye bye data! :(

mysql_real_escape_string就足够了.对于正确构造的查询，此方法很好.

mysql_real_escape_string is sufficient from a sanitization point IF you structure your query correctly. For a properly constructed query, this works fine.

一个更好的问题是您要防止什么?"您还应该注意存储和反映的XSS(跨站点脚本).如果要将来自用户的输入存储在数据库中，并且数据是在浏览器中呈现的，那么您将至少要剥离<script>标记.

A better question is "what are you trying to prevent?" You should also be aware of XSS (cross-site-scripting) stored and reflected. If you are storing input from users in your database and that data is rendered in the browser, you'll want to strip out <script> tags at the very least.

根据您的语言，在线上有许多过滤器和代码可用.如果您使用Rails或CodeIgniter，则已为您完成.

There are many filters and code available on line for this depending on your language. If you use Rails or CodeIgniter, it's done for you.

就这种类型的安全性而言，我建议使用以下内容:

As far as this type of security is concerned, I recommend using the following:

1. 下载并安装该易受攻击的Web应用.它是一个旨在教授网络黑客的来龙去脉的应用程序(基于php)
2. 始终尝试提交其他字符集的字符
3. 总是尝试提交NULL字节
4. 避免在查询字符串中传递太多参数(它可能会泄露您的数据结构)
5. 观看您的日志
6. 下载 burpsuite -您将再也不会以相同的方式浏览网站
7. 警惕. mysql错误消息非常适合调试，但是它们会给出大量信息-通常它们会揭示整个查询！

1. download and install damn vulnerable web app. its an application designed to teach the ins and outs of web hacking (php-based)
2. always try to submit characters of a different charset
3. always try to submit the NULL byte
4. avoid passing too many parameters in the querystring (it can give away your data structure)
5. watch your logs
6. download burpsuite - you'll never look at a website the same way again
7. watch being chatty. mysql error messages are great for debugging, but they give away a ton of information - often times they reveal the whole query!

底行-如果来自用户，则不能受信任！

bottom line - if it comes from the user, it can't be trusted!

这篇关于htmlentities()和mysql_real_escape_string()是否足以清理PHP中的用户输入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！