插入Mysql&中的php-MySql安全方法从MySql获取到屏幕 [英] Php-MySql Security approach while INSERT’ing INTO MySql & fetching from MySql to screen

问题描述

我想我在stackoverflow.com上读到如果您需要转义或类似的操作，请及时进行操作"，因此在验证页面中，我会验证用户输入(是否为空检查，长度检查和结构化验证).检查(例如:邮件结构，自定义标签结构)；我使用$_POST['']变量作为输入.在验证过程中，即使在自定义错误打印部件中，我的错误消息在消息文本中也不包含任何$_POST['']值. br/>
作为临时说明:在php-mysql交互过程中，我使用了准备好的语句和参数化查询.输入是否经过验证；在插入INTO MySql之前，我从输入中剥离标签，因为除自定义结构化标签外，我不允许任何其他html标签. (例如**bold text** === <strong>bold text</strong>)然后将用户输入插入MySql db.

I think I read in stackoverflow.com that "if you need escaping or similar action, do it just in time you need" so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST[''] variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST[''] values in message texts.

As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. If inputs are verified; just before INSERT’ing INTO MySql, I strip the tags from input since I don’t allow any html tags other than custom structured tags. (for example **bold text** === <strong>bold text</strong>) Then I insert the user input into MySql db.

我只应用htmlspecialchars()命令从MySql数据库打印到屏幕上

I only apply htmlspecialchars() command to print out to the screen from MySql db

我不确定自己.我的方法是否有明显或隐藏的弱点?预先感谢php gurus提出的宝贵意见. BR

I am not sure of myself. Is there any obvious or hidden weakness in my approach? Thanks in advance for php gurus’ valuable comments. BR

在插入MySql db的过程中，我不会剥离标签.由于某些原因，请参阅下面的ÁlvaroG.Vicario的注释. BR.

I won't strip tags during insert into MySql db. For reasons, Please refer to comments of ÁlvaroG.Vicario below. BR.

推荐答案

到目前为止，讨论是关于防止SQL注入和持久性跨站点脚本编写的.听起来您在正确的轨道上.

The discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. It sounds like you're on the right track.

• 您使用准备好的语句是打击SQL注入的最佳实践".
• htmlspecialchars()是防止XSS的一个很好的开始，但是您必须使用适合于输出数据的编码方案来转义数据. OWASP的综合页面对此进行了讨论: XSS(跨站点脚本)预防速查表.简短的答案:确保您使用的是"the escape syntax for the part of the HTML document you're putting untrusted data into."

• Your use of prepared statements is a "best practice" to combat SQL injection.
• htmlspecialchars() is a good start to prevent XSS, but you have to escape data in the encoding scheme that is appropriate to where you are outputting data. OWASP has a comprehensive page that discusses this: XSS (Cross Site Scripting) Prevention Cheat Sheet. The short answer: Ensure you are using "the escape syntax for the part of the HTML document you're putting untrusted data into."

这篇关于插入Mysql&中的php-MySql安全方法从MySql获取到屏幕的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！