PHP表单输入过滤 [英] PHP Form Input Filtering

问题描述

我是PHP新手，正在研究基本的表单验证脚本.我知道出于安全考虑，输入过滤和输出转义都至关重要.我的问题是我下面编写的代码是否足够安全?首先要澄清一些注意事项.

I am a PHP newbie and am working on a basic form validation script. I understand that input filtering and output escaping are both vital for security reasons. My question is whether or not the code I have written below is adequately secure? A few clarifying notes first.

1. 我知道清除和验证之间是有区别的.在下面的示例字段中，该字段为纯文本，因此我需要对其进行消毒.
2. $ clean ['myfield']是我要发送到MySQL数据库的值.我正在使用准备好的语句进行数据库交互.
3. $ html ['myfield']是我发送回客户端的值，以便当他/她提交具有无效/不完整数据的表单时，将重新填充其中包含数据的已清理字段，因此它们不会不必从头开始输入所有内容.

这里是(稍作清理)的代码:

Here is the (slightly cleaned up) code:

$clean = array();
$html = array();
$_POST['fname'] = filter_var($_POST['fname'], FILTER_SANITIZE_STRING);
$clean['fname'] = $_POST['fname'];
$html['fname'] = htmlentities($clean['fname'], ENT_QUOTES, 'UTF-8');
if ($_POST['fname'] == "") {
    $formerrors .= 'Please enter a valid first name.<br/><br/>';
}
else {
    $formerrors .= 'Name is valid!<br/><br/>';
}

感谢您的帮助！

〜讨厌

推荐答案

我知道出于安全考虑，输入过滤和输出转义都是至关重要的.

I understand that input filtering and output escaping are both vital for security reasons.

我想说的是，出于安全性和正确性的原因，输出转义至关重要，而输入过滤对于深度防御和实施特定的应用程序规则可能是有用的措施.

I'd say rather that output escaping is vital for security and correctness reasons, and input filtering is potentially-useful measure for defence-in-depth and to enforce specific application rules.

输入过滤步骤和输出转义步骤必定是分开的关注点，不能合并为一个步骤，尤其是因为存在许多不同类型的输出转义，并且必须为每个输出上下文选择正确的步骤(例如，页面中的HTML转义，链接的URL转义，SQL的转义等等.

The input filtering step and the output escaping step are necessarily separate concerns, and cannot be combined into one step, not least because there are many different types of output escaping, and the right one has to be chosen for each output context (eg HTML-escaping in a page, URL-escaping to make a link, SQL-escaping, and so on).

不幸的是，PHP传统上在这些问题上非常朦胧，因此提供了很多混合消息功能，这些功能可能会误导您.

Unfortunately PHP is traditionally very hazy on these issues and so offers a bunch of mixed-message functions that are likely to mislead you.

在下面的示例字段中，该字段是纯文本，因此我需要做的是对其进行清理.

In the example field below, the field is plain text, so all I need to do is sanitize it.

是的. <，FILTER_SANITIZE_STRING绝对不是理智的解决方案.它完全删除了某些内容(strip_tags，这本身是非常不明智的)，而HTML却转义了其他内容.例如，引号变成".这是胡说八道.

Yes. Alas, FILTER_SANITIZE_STRING is not in any way a sane sanitiser. It completely removes some content (strip_tags, which is itself highly non-sensible) whilst HTML-escaping other content. eg quotes turn into ". This is a nonsense.

相反，要进行输入卫生检查，请查看:

Instead, for input sanitisation, look at:

• 检查它是否是您正在使用的编码的有效字符串(希望是UTF-8；请参见例如删除控制字符U + 0000–U + 001F和U + 007F–U + 009F.只允许在有意的多行文本字段上使用换行符；

  removing control characters, U+0000–U+001F and U+007F–U+009F. Allow the newline through only on deliberate multi-line text fields;

  删除不适合用于标记的字符;

  对于其内容模型比任意文本字符串更具体的数据，逐字段验证输入是否符合应用程序要求.尽管转义字符应正确处理<字符，但在没有意义的领域中尽早删除它可能是个好主意.

  validating the input conforms to application requirements on a field-by-field basis, for data whose content model is more specific than arbitrary text strings. Although your escaping should handle a < character correctly, it's probably a good idea to get rid of it early in fields where it makes no sense to have one.

  对于输出转义步骤，我通常更喜欢htmlspecialchars()而不是htmlentities()，尽管您正确地使用了UTF-8参数可以阻止后者以通常的方式中断.

  For the output escaping step I'd generally prefer htmlspecialchars() to htmlentities(), though your correct use of the UTF-8 argument stops the latter function breaking in the way it usually does.

  这篇关于PHP表单输入过滤的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！