PHP / JAVASCRIPT / Mysql:防止JavaScript注入 [英] PHP / JAVASCRIPT / Mysql: Preventing javascript injections
问题描述
这可能是此问题的可能重复项,但是它并不能以我(愚蠢的头脑)可以理解的方式来回答我的问题。
好的,我有一个网页公式器如我的上一个问题所示。在将$ txtpost用于mysql查询注入之前,我现在添加了 $ txtpost = htmlentities($ txtpost,ENT_QUOTES); ,这应该可以保护我免受XSS攻击。但是,正如用户在 php.net 上指出的那样,将无法保护我从javascript注入。也就是说,如何防止此类javascript注入?正如您在上一个问题的代码中看到的那样,我不知道将在文本字段中确切输入什么,因此我不能只允许特定的值。请注意,先前问题中的所有错误代码现在都已修复,并且现在都可以正常运行。
VicStudio
This may be a possible duplicate of this question here, but it doesn´t really adress and answer my question in a way that I (stupid-head) can understand it.
Ok, I´ve got a webpage formular as seen in my previous question. Before using $txtpost for mysql query injection, I now added $ txtpost = htmlentities($txtpost, ENT_QUOTES);, which should protect me from XSS-attacks. But, as a user points out on php.net, won´t protect me from javascript injections. That said, how can I prevent such javascript injections? As you can see in the code from the previous question, i don´t know what exactly will be entered into the text field, so I can´t only allow specific values. Note that all code from the previous question, which was wrong, is now repaired and it all works fine at the moment.
VicStudio
推荐答案
好吧,确实没有人将HTML放入数据库的行为受到保护。
Well, it is true that you won't be protected from people putting HTML into your database.
首先
$txtpost = htmlentities($txtpost, ENT_QUOTES);
使用转义引号,使SQL注入的可能性降低。但是我仍然可以执行 OR 1 = 1 。这使每个语句为真。现代技术依赖于准备好的语句(如何用PDO替换MySQL函数?)
Will escape quotes, rendering an SQL-injection less probable. But I can still do OR 1 = 1. Which renders every statement true. Modern technology relies on prepared statements (How to replace MySQL functions with PDO?)
如果您阅读以上内容,将会看到PDO准备语句的示例。您也可以使用MySQLi执行此操作。
If you read the above you'll see a PDO example of prepared statement. You can also do this with MySQLi. It prevents the fact that people can do SQL injection.
第二个:
是的,我仍然可以放置
Second: Yes, I can still put things like
<a href="javascript:alert(1)">XSS</a>
进入您的数据库。您应该使用健全性函数在数据库中定义所需的元素。 PHP给了您
Into your database. You should define the elements you like into your database by using a sanity function. PHP gives you several
- filter_input :允许您过滤和清理某些输入。
- strip_tags :允许您剥离所有标签和/或使用您要允许的标签白名单。
- htmlspecialchars :将所有特殊字符转换为实体。就像到& quot。。
- filter_input: Allows you to filter and sanitize certain input.
- strip_tags: allows you to strip all tags and/or use a white list of tags you do want to allow.
- htmlspecialchars: converts all special characters into entities. Like " to ".
结论是您需要控制自己,然后决定页面上显示的内容。为了安全起见,您可以过滤所有内容并将其以纯文本格式显示在页面上;为了安全起见,我建议进行三遍消毒:在发布之前,将它们传递到数据库时再将其传递到页面上。这样,您可以将注射的危险降到最低。
The conclusion is that you need to be in control. You decide what goes onto your page. So if you want to be safe you can filter everything and put it on your page as plain text. For safety I recommend sanitizing three times. Before the stuff is posted, when it is passed onto the database and again when it is put onto the page. This way you minimalize the danger of having an injection.
这篇关于PHP / JAVASCRIPT / Mysql:防止JavaScript注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
