PHP安全用户变量 [英] PHP secure user variable

问题描述

在我的网站上，我有一个名为$user_data的变量，其中包含来自表单的输入.然后，我在用户页面上显示此变量(通过echo).

On my website I have a variable called $user_data that contains input from a form. I then show this variable on the user page (via echo).

使用此变量来避免任何安全风险的最佳方法是什么?我使用strip_tags()，但这还不够.

What is the best method to avoid any security risks with this variable? I use strip_tags(), but it is not enough.

此变量也将保存到MySQL数据库.

This variable also gets saved to a MySQL database.

推荐答案

要避免严重的安全问题，您必须做两件非常重要的事情.

There are two very important things you must do to avoid serious security problems.

1. 您需要先对用户输入进行转义，然后再将其放入SQL查询中.转义表示转义所有特殊字符，例如'；幸运的是，有一个功能已经可以自动执行: mysql_real_escape_string .

1. You need to escape the user input before putting it in your SQL query. Escaping means escape all the special characters such as '; luckily, there is a function that already does it automatically: mysql_real_escape_string.

如果不逃避用户输入，可能会发生令人讨厌的事情.假设您的查询是INSERT INTO userdata VALUES ('$user_data').现在，假设用户写了'; DROP DATABASE userdata;.

If you don't escape user input nasty things could happen. Imagine that your query is INSERT INTO userdata VALUES ('$user_data'). Now imagine that the user wrote '; DROP DATABASE userdata;.

如果不进行转义，您的查询将变为:INSERT INTO userdata VALUES (''; DROP DATABASE userdata;').您可以想象这不是很好:如果启用了多条语句，您可以向数据库道别.这称为 SQL注入攻击.

If you don't escape it, your query will become: INSERT INTO userdata VALUES (''; DROP DATABASE userdata;'). As you can imagine this is not good: if you have multi statements enabled you can kiss goodbye to your database. This is called an SQL Injection attack.

将变量输出给用户时，还需要用HTML实体正确替换HTML特殊字符.幸运的是，也有一个函数可以做到这一点: htmlspecialchars().它将特殊的HTML字符(例如<转换为<).

When you are outputting your variable to the user you also need to properly replace HTML special characters with HTML entities. Luckily, there is a function to do that too: htmlspecialchars(). It will transform the special HTML characters such as < to <.

这似乎是一个经常被低估的问题，但实际上这是非常严重的.想象一下$user_data是否包含<script>SomeNastyScript()</script>.它可能利用用户浏览器中的现有漏洞，或者可能向攻击者发送非HTTPOnly cookie(可能包含已保存的密码)，或者可能诱使用户将密码写在通过操纵DOM(可能在javascript中)或其他很多不好的东西.

This seems to be a problem that is often underestimated, but in reality it's very serious. Imagine if $user_data contains <script>SomeNastyScript()</script>. It could exploit existing vulnerabilities in the browser of your users, or it could send a non-HTTPOnly cookie (that may contain saved passwords) to the attacker, or it could trick the user into writing their password on a form generated through the manipulation of the DOM (possible in javascript), or a lot of other bad things.

这称为 XSS (跨站点脚本).

This is called XSS (Cross-site scripting).

---

简短版

1. 在将字符串插入到SQL查询之前(但在您echo时则不会)在字符串上调用mysql_real_escape_string.

1. Call mysql_real_escape_string on the string before inserting it into your SQL query (but not when you echo it).

在将字符串显示给用户之前(但当您将其放入数据库时​​则不然)在字符串上调用htmlspecialchars.

Call htmlspecialchars on the string before displaying it to the user (but not when you put it in the database).

这篇关于PHP安全用户变量的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！