为什么filter_input()不完整? [英] Why is filter_input() incomplete?
问题描述
目前,我正在基于PHP的CMS上进行大量工作,而在此期间,我希望将用户输入的所有处理和卫生工作移至一个中心位置. (目前,这里是$ _REQUEST,那里是$ _GET,依此类推).
I am working a lot on a PHP-based CMS at the moment, and while I'm at it I would like to move all the handling and sanitation of user input to one central place. (At the moment, it's a $_REQUEST here, a $_GET there, and so on).
我非常喜欢filter_input(),并希望将其用于基本卫生条件,但是我不清楚该函数是否真的可以投入生产.例如,文档为$ type命名以下参数
I like filter_input() very much and would like to use it for basic sanitation, but I'm unclear as to whether this function is really production ready. For example, the documentation names the following parameters for $type
INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, INPUT_ENV, INPUT_SESSION (not implemented yet) and INPUT_REQUEST (not implemented yet).
该功能从5.2.0开始存在,为什么两个关键要素尚未实现?如果我想从$ _REQUEST获取数据,则必须使用用户提供的注释中的解决方法.是否有特殊原因?此功能是否仍处于beta版本?作为处理传入数据的第一个调用是否值得信赖?
the function exists since 5.2.0, why are two crucial elements not implemented yet? If I want to fetch data from $_REQUEST, you have to use a workaround from the user contributed notes. Is there a special reason for this? Is this function still in some kind of beta? Is it trustworthy as the first call to handle incoming data?
也许熟悉PHP开发过程的人可以对此有所了解.
Maybe somebody familiar with the PHP development process can shed some light on this.
推荐答案
我想将用户输入的所有处理和卫生移到一个中央位置
I would like to move all the handling and sanitation of user input to one central place
是的,那将是多么可爱.不能做这不是文本处理的工作方式.
Yes, how lovely that would be. It can't be done. That's not how text processing works.
如果要将文本从一个上下文插入另一个上下文,则需要使用正确的转义符. (mysql_real_escape_string用于MySQL字符串文字,htmlspecialchars用于HTML内容,urlencode用于URL参数,其他用于特定上下文).在脚本开始进行过滤时,您不知道输入将在哪里结束,因此您不知道如何对其进行转义.
If you're inserting text from one context into another you need to use the right escapes. (mysql_real_escape_string for MySQL string literals, htmlspecialchars for HTML content, urlencode for URL parameters, others for specific contexts). At the start of your script when you're filtering, you don't know where your input is going to end up, so you don't know how to escape it.
也许一个输入字符串既进入数据库(需要转义SQL)又直接进入页面(需要转义HTML).这两种情况都无法逃脱.您可以一个接一个地使用两个转义符,但是HTML中的值将在其中出现怪异的反斜杠,并且数据库中的副本将充满&"号.经过几轮这种错误编码后,您会遇到以下情况:每次编辑内容时,都会出现长字符串\\\\\\\\\\\\\\\\\\\\和&.
Maybe one input string is going both into the database (needs to be SQL-escaped) and directly onto the page (needs to be HTML-escaped). There's no one escape that covers both those cases. You can use both escapes one after the other, but then the value in the HTML will have weird backslashes appearing in it and the copy in the database will be full of ampersands. A few rounds of this misencoding and you get that situation where every time you edit something, long strings of \\\\\\\\\\\\\\\\\\\\ and & come out.
您可以在开始时安全地进行一次过滤的唯一方法是,完全删除要在其中使用任何上下文的所有需要转义的字符.但是这意味着HTML中没有撇号或反斜杠,数据库中也没有与号或小于号,并且还可能需要处理大量其他不利于URL的标点符号.对于一个不带任意文本的简单网站,您也许可以避免这种情况.但通常不是.
The only way you can safely filter in one go at start time is by completely removing all characters that need to be escaped in any of the contexts you're going to be using them in. But that means no apostrophes or backslashes in your HTML, no ampersands or less-thans in your database, and probably a whole load of other URL-unfriendly punctuation has to go too. For a simple site that doesn't take arbitrary text you could maybe get away with that. But usually not.
因此,只有在一种类型的文本进入另一种类型的文本时,您才能即时逃脱.避免该问题的最佳策略是避免将文本尽可能多地连接到其他上下文中,例如,通过使用参数化查询而不是SQL字符串构建,并定义一个具有很好的短名称的echo(htmlspecialchars())函数来减少了键入工作,或者使用了默认情况下使用HTML转义的替代模板系统.
So you can only escape on the fly when one type of text goes into another. The best strategy to avoid the problem is to avoid concatenating text into other contexts as much as much as you possibly can, for example by using parameterised queries instead of SQL string building, and either defining an echo(htmlspecialchars()) function with a nice short name to make it less work to type, or using an alternative templating system that HTML-escapes by default.
这篇关于为什么filter_input()不完整?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
