PHP安全用户变量 [英] PHP secure user variable
问题描述
在我的网站上,我有一个名为$user_data
的变量,其中包含来自表单的输入.然后,我在用户页面上显示此变量(通过echo).
On my website I have a variable called $user_data
that contains input from a form. I then show this variable on the user page (via echo).
使用此变量来避免任何安全风险的最佳方法是什么?我使用strip_tags()
,但这还不够.
What is the best method to avoid any security risks with this variable? I use strip_tags()
, but it is not enough.
此变量也将保存到MySQL数据库.
This variable also gets saved to a MySQL database.
推荐答案
要避免严重的安全问题,您必须做两件非常重要的事情.
There are two very important things you must do to avoid serious security problems.
-
您需要先对用户输入进行转义,然后再将其放入SQL查询中.转义表示转义所有特殊字符,例如
'
;幸运的是,有一个功能已经可以自动执行: mysql_real_escape_string .
You need to escape the user input before putting it in your SQL query. Escaping means escape all the special characters such as
'
; luckily, there is a function that already does it automatically: mysql_real_escape_string.
如果不逃避用户输入,可能会发生令人讨厌的事情.假设您的查询是INSERT INTO userdata VALUES ('$user_data')
.现在,假设用户写了'; DROP DATABASE userdata;
.
If you don't escape user input nasty things could happen. Imagine that your query is INSERT INTO userdata VALUES ('$user_data')
. Now imagine that the user wrote '; DROP DATABASE userdata;
.
如果不进行转义,您的查询将变为:INSERT INTO userdata VALUES (''; DROP DATABASE userdata;')
.您可以想象这不是很好:如果启用了多条语句,您可以向数据库道别.这称为 SQL注入攻击.
If you don't escape it, your query will become: INSERT INTO userdata VALUES (''; DROP DATABASE userdata;')
. As you can imagine this is not good: if you have multi statements enabled you can kiss goodbye to your database. This is called an SQL Injection attack.
将变量输出给用户时,还需要用HTML实体正确替换HTML特殊字符.幸运的是,也有一个函数可以做到这一点: htmlspecialchars().它将特殊的HTML字符(例如<
转换为<
).
When you are outputting your variable to the user you also need to properly replace HTML special characters with HTML entities. Luckily, there is a function to do that too: htmlspecialchars(). It will transform the special HTML characters such as <
to <
.
这似乎是一个经常被低估的问题,但实际上这是非常严重的.想象一下$user_data
是否包含<script>SomeNastyScript()</script>
.它可能利用用户浏览器中的现有漏洞,或者可能向攻击者发送非HTTPOnly cookie(可能包含已保存的密码),或者可能诱使用户将密码写在通过操纵DOM(可能在javascript中)或其他很多不好的东西.
This seems to be a problem that is often underestimated, but in reality it's very serious. Imagine if $user_data
contains <script>SomeNastyScript()</script>
. It could exploit existing vulnerabilities in the browser of your users, or it could send a non-HTTPOnly cookie (that may contain saved passwords) to the attacker, or it could trick the user into writing their password on a form generated through the manipulation of the DOM (possible in javascript), or a lot of other bad things.
这称为 XSS (跨站点脚本).
This is called XSS (Cross-site scripting).
简短版
-
在将字符串插入到SQL查询之前(但在您
echo
时则不会)在字符串上调用mysql_real_escape_string
.
Call
mysql_real_escape_string
on the string before inserting it into your SQL query (but not when youecho
it).
在将字符串显示给用户之前(但当您将其放入数据库时则不然)在字符串上调用htmlspecialchars
.
Call htmlspecialchars
on the string before displaying it to the user (but not when you put it in the database).
这篇关于PHP安全用户变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!