使用Wordpress,有人可以告诉我清除输入的最佳方法吗? [英] Using Wordpress, can some one tell me the best way of sanitizing input?
问题描述
我正在使用Wordpress作为CMS开发应用程序.
I'm developing an application using Wordpress as a CMS.
我有一个带有很多输入字段的表单,在存储到数据库之前,需要对其进行清理.
我想防止SQL注入,注入javascript和PHP代码以及其他有害代码.
I have a form with a lot of input fields which needs to be sanitized before stored in the database.
I want to prevent SQL injection, having javascript and PHP code injected and other harmful code.
目前,我正在使用自己的方法来清理数据,但是我觉得使用WP使用的功能可能会更好.
Currently I'm using my own methods to sanitize data, but I feel that it might be better to use the functions which WP uses.
我已经在Wordpress中查看了数据验证,但是我不确定这些功能中有多少我应该以什么顺序使用.谁能说出最适合使用什么WP函数?
I have looked at Data Validation in Wordpress, but I'm unsure on how much of these functions I should use, and in what order. Can anyone tell what WP functions are best to use?
目前,我正在通过执行以下操作对输入内容进行消毒":
Currently I'm "sanitizing" my input by doing the following:
-
因为带有重音符号(é,ô,æ,ø,å)的字符以有趣的方式存储在数据库中(即使我的表设置为
ENGINE=InnoDB,DEFAULT CHARSET=utf8和COLLATE=utf8_danish_ci) ,我现在正在使用htmlentities()转换可以带有重音符号的输入字段.
Because characters with accents (é, ô, æ, ø, å) got stored in a funny way in the Database (even though my tables are set to
ENGINE=InnoDB,DEFAULT CHARSET=utf8andCOLLATE=utf8_danish_ci), I'm now converting input fields that can have accents, using htmlentities().
在创建用于输入数据的SQL字符串时,我使用mysql_real_escape_string().
When creating the SQL string to input the data, I use mysql_real_escape_string().
我认为这不足以阻止攻击.因此,非常感谢您提出改进建议.
I don't think this is enough to prevent attacks though. So suggestions to improvement is greatly appreciated.
推荐答案
输入的消毒"是伪造的.
Input "sanitisation" is bogus.
您不应尝试通过过滤(*)或转义输入来保护自己免受注入麻烦,应该使用原始字符串,直到将它们放入另一个上下文为止.此时,您需要针对该上下文的正确转义功能,对于MySQL查询,该功能为mysql_real_escape_string,对于HTML输出,该功能为htmlspecialchars.
You shouldn't attempt to protect yourself from injection woes by filtering(*) or escaping input, you should work with raw strings until the time you put them into another context. At that point you need the correct escaping function for that context, which is mysql_real_escape_string for MySQL queries and htmlspecialchars for HTML output.
(WordPress添加了自己的转义功能,如esc_html,原则上没有什么不同.)
(WordPress adds its own escaping functions like esc_html, which are in principle no different.)
(*:好,除了特定于应用程序的要求外,例如检查电子邮件地址确实是电子邮件地址,确保密码合理等等,还有一个用于过滤掉控制字符的合理参数.在输入阶段,尽管实际上很少这样做.)
(*: well, except for application-specific requirements, like checking an e-mail address is really an e-mail address, ensuring a password is reasonable, and so on. There's also a reasonable argument for filtering out control characters at the input stage, though this is rarely actually done.)
我现在正在使用htmlentities()转换可以带有重音符号的输入字段.
I'm now converting input fields that can have accents, using htmlentities().
我强烈建议您不要这样做.您的数据库应包含原始文本;如果您将其编码为HTML,则使对列进行数据库操作变得更加困难.您还将同时转义<和"之类的字符与非ASCII字符.当您从数据库中获取数据并出于其他原因(而不是将其复制到页面中)使用它时,数据中便出现了虚假的HTML转义符.在将文本写到页面的最后一刻,不要转义HTML.
I strongly advise not doing that. Your database should contain raw text; you make it much harder to do database operations on the columns if you've encoded it as HTML. You're escaping characters such as < and " at the same time as non-ASCII characters too. When you get data from the database and use it for some other reason than copying it into the page, you've now got spurious HTML-escapes in the data. Don't HTML-escape until the final moment you're writing text to the page.
如果您难以将非ASCII字符输入数据库,则这是另一个问题,您应该首先解决该问题,而不是寻求诸如存储HTML编码数据之类的不可持续的解决方法.这里有许多关于让PHP和数据库使用正确的UTF-8的文章,但是主要的事情是要确保使用Content-Type标头/元数据将HTML输出页面本身正确地用作UTF-8.然后检查您的MySQL连接设置为UTF-8,例如,使用 mysql_set_charset() .
If you are having trouble getting non-ASCII characters into the database, that's a different problem which you should solve first instead of going for unsustainable workarounds like storing HTML-encoded data. There are a number of posts here all about getting PHP and databases to talk proper UTF-8, but the main thing is to make sure your HTML output pages themselves are correctly served as UTF-8 using the Content-Type header/meta. Then check your MySQL connection is set to UTF-8, eg using mysql_set_charset().
在创建用于输入数据的SQL字符串时,我使用mysql_real_escape_string().
When creating the SQL string to input the data, I use mysql_real_escape_string().
是的,这是正确的.只要执行此操作,就不会受到SQL注入的攻击.如果您是在数据库端而不是模板输出端进行HTML转义,则可能 容易遭受HTML注入(导致XSS)的侵害.因为没有通过数据库的任何字符串(例如直接从$_GET获取的)都不会被HTML转义.
Yes, that's correct. As long as you do this you are not vulnerable to SQL injection. You might be vulnerabile to HTML-injection (causing XSS) if you are HTML-escaping at the database end instead of the template output end. Because any string that hasn't gone through the database (eg. fetched directly from $_GET) won't have been HTML-escaped.
这篇关于使用Wordpress,有人可以告诉我清除输入的最佳方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
