清理PHP/SQL $ _POST，$ _ GET等...? [英] Sanitizing PHP/SQL $_POST, $_GET, etc...?

问题描述

好的，我知道这是一个温床.我也了解这种情况取决于您用作代码的方式.我有三种情况需要解决.

Ok, this subject is a hotbed I understand that. I also understand that this situation is dependent on what you are using as code. I have three situations that need to be resolved.

1. 我有一个表格，我们需要在此表格中允许人们发表使用逗号，波浪号等的注释和语句，但是仍然可以免受攻击.

1. I have a form in where we need to allow people to make comments and statements that use commas, tildes, etc... but still remain safe from attacks.

我输入的日期是这样的:用英语输入10/13/11 mm/dd/yy，可以将其清除吗?

I have people entering in dates like this: 10/13/11 mm/dd/yy in English, can this be sanitized?

我如何理解如何正确使用htmlspecialchars()，htmlentities()和real_escape_string()?我已经阅读了php.net网站和此处的一些帖子，但是在我看来，这是一种情况，其中一切都取决于阅读该问题的人的正确答案是什么.

How do I understand how to use htmlspecialchars(), htmlentities() and real_escape_string() correctly? I've read the php.net site and some posts here but this seems to me to be a situation in where it all depends on the person reading the question what the right answer is.

我真的不能接受...必须回答一个问题，即可以清除与我在此处发布的文本格式类似的文本格式.我想知道是否可行以及如何实现.

I really can't accept that... there has to be an answer wherein text formats similar to that which I am posting here can be sanitized. I'd like to know if and how it is possible.

谢谢...因为在我看来，当我在其他地方问这个问题时，往往会很烦...我正在学习我需要知道的内容，但我认为我在没有任何知识的情况下就达到了高原这是做什么的例子...

Thanks... because it seems to me that when asking this question in other places it tends to annoy... I am learning what I need to know but I think I have hit a plateau in what I can know without an example of what it is meant to do...

先谢谢了.

推荐答案

这是一个非常重要的问题，它实际上有一个简单的编码形式的答案.您面临的问题是您同时使用多种语言.首先，您使用HTML，然后使用PHP，然后再使用SQL.所有这些语言都有自己的语法规则.

It's a very important question and it actually has a simple answer in the form of encodings. The problem you are facing it that you use a lot of languages at the same time. First you are in HTML, then in PHP and a few seconds later in SQL. All these languages have their own syntax rules.

要记住的是:字符串应始终采用正确的编码.

The thing to remember is: a string should at all times be in its proper encoding.

让我们举个例子.您有一个HTML表单，并且用户在其中输入以下字符串:

Lets take an example. You have a HTML form and the user enters the following string into it:

I really <3 dogs & cats ;')

按下提交按钮后，此字符串将发送到您的PHP脚本.让我们假设这是通过GET完成的.它被附加到URL上，URL具有自己的语法(例如&字符具有特殊含义)，因此我们正在更改语言.这意味着必须将字符串转换为正确的URL编码.在这种情况下，浏览器可以执行此操作，但是PHP对此也具有urlencode函数.

Upon pressing the submit button, this string is being send to your PHP script. Lets assume this is done through GET. It gets appended to the URL, which has its own syntax (the & character has special meaning for instance) so we are changing languages. This means the string must be transformed into the proper URL-encoding. In this case the browser does it, but PHP also has an urlencode function for that.

在PHP脚本中，字符串存储在$_GET中，编码为PHP字符串.只要您在编写PHP代码，就完全可以了.但是，现在让该字符串在SQL查询中使用.我们更改了语言和语法规则，因此必须通过mysql_real_escape_string函数将字符串编码为SQL.

In the PHP script, the string is stored in $_GET, encoded as a PHP string. As long as you are coding PHP, this is perfectly fine. But now lets put the string to use in a SQL query. We change languages and syntax rules, therefore the string must be encoded as SQL through the mysql_real_escape_string function.

在另一端，我们可能希望再次将字符串显示给用户.我们从数据库中检索该字符串，并将其作为PHP字符串返回给我们.当我们想将其嵌入HTML进行输出时，我们又在更改语言，因此我们必须通过htmlspecialchars函数将字符串编码为HTML.

At the other end, we might want to display the string back to the users again. We retrieve the string from the database and it is returned to us as a PHP string. When we want to embed it in HTML for output, we're changing languages again so we must encode our string to HTML through the htmlspecialchars function.

在整个过程中，字符串始终采用正确的编码，这意味着将对用户可以想到的任何字符进行相应的处理.一切都应该顺利，安全地进行.

Throughout the way, the string has always been in the proper encoding, which means any character the user can come up with will be dealt with accordingly. Everything should be running smooth and safe.

要避免的事情(有时甚至是无知的人建议这样做)是过早地对您的字符串进行编码.例如，您可以将htmlspecialchars应用于字符串之前，将其放入数据库中.这样，以后从数据库中检索字符串时，可以将其粘贴在HTML中没有问题.听起来不错?是的，在您开始获得人们的支持票之前，这真的很棒，他们想知道为什么他们的PDF收据里装满了& >垃圾.

A thing to avoid (sometimes this is even recommended by the ignorant) is prematurely encoding your string. For instance, you could apply htmlspecialchars to the string before putting it in the database. This way, when you retrieve the string later from the database you can stick it in the HTML no problem. Sound great? Yeah, really great until you start getting support tickets of people wondering why their PDF receipts are full of & > junk.

在代码中:

form.html:

form.html:

<form action="post.php" method="get">
    <textarea name="comment">
        I really <3 dogs &amp; cats ;')
    </textarea>
    <input type="submit"/>
</form>

它生成的URL:

http://www.example.org/form.php?comment=I%20really%20%3C3%20dogs%20&%20cats%20;')

post.php:

// Connect to database, etc....

// Place the new comment in the database
$comment = $_GET['comment']; // Comment is encoded as PHP string

// Using $comment in a SQL query, need to encode the string to SQL first!
$query = "INSERT INTO posts SET comment='". mysql_real_escape_string($comment) ."'";
mysql_query($query);

// Get list of comments from the database
$query = "SELECT comment FROM posts";

print '<html><body><h2>Posts</h2>';
print '<table>';

while($post = mysql_fetch_assoc($query)) {
    // Going from PHP string to HTML, need to encode!
    print '<tr><td>'. htmlspecialchars($post['comment']) .'</td></tr>';
}

print '</table>';
print '</body></html>'

这篇关于清理PHP/SQL $ _POST，$ _ GET等...?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！