验证用户输入? [英] Validating user input?
问题描述
我对某些事情非常困惑,想知道是否有人可以解释.
在PHP中,我会验证用户输入,因此htmlentitiies会在插入数据库之前使用mysql_real_escape_string,而不是在所有内容上使用,因为我确实愿意使用正则表达式,尽管我发现它们很难使用.现在显然我将在数据进入数据库时使用mysql_real_escape_string,但不确定仅在从数据库获取数据并将其显示在网页上时才应该使用htmlentities(),因为这样做是在手动更改一个人输入的数据之前不能保持其原始格式,如果我以后要使用该数据用于其他用途,可能会导致问题.
因此,例如,我有一本留言簿,其中包含3个字段,名称,主题和消息.现在很明显,这些字段可以包含js标签中的恶意代码之类的东西,基本上是什么,现在让我感到困惑的是,我说我是一个恶意者,我决定使用js标签和一些恶意的js代码并提交表单,现在基本上我已经是恶意的我的数据库中无用的数据.现在通过在将恶意代码输出到网页(来宾)时使用htmlentities,这不是问题,因为htmlentities已将其转换为安全等效的代码,但是与此同时,我在数据库中却拥有了我不想拥有的无用恶意代码.
所以说完所有这些之后,我的问题是我是否应该接受这样一个事实,即数据库中的某些数据可能是恶意的,无用的数据,而且只要我在输出中使用htmlentities,一切都会好起来还是应该做其他事情?
我读了很多书,说到接收数据时过滤数据并在输出时转义数据,这样就保留了原始格式,但是他们只给出了示例,例如确保使用已内置在php中的函数等,一个字段只是一个int,但是我从来没有发现任何有关确保诸如留言本之类的东西的信息,您希望用户在其中键入他们想要的任何内容,而且还如何过滤除mysql_real_escape_string()之外的此类数据以确保其不会破坏数据库查询?
有人可以最后为我消除这种困惑,并告诉我我应该做什么以及最佳实践是什么?
感谢任何可以解释的人.
干杯!
这是一个很长的问题,但是我认为您实际上要问的内容可以归结为:
在将HTML插入数据库或在显示时是否应该转义HTML?"
这个问题的普遍接受的答案是,当您要向用户显示HTML时,应转义HTML(通过htmlspecialchars),而在将其放入数据库之前,请不. /p>
原因是这样的:数据库存储数据.您要输入的内容是用户键入的内容.当您调用mysql_real_escape_string时,它不会更改插入数据库的内容.它只是避免将用户的输入解释为SQL语句. htmlspecialchars对HTML执行相同的操作;当您打印用户的输入时,它将避免将其解释为HTML.如果您要在插入之前致电htmlspecialchars,那么您将不再忠实.
您应该始终努力获得尽可能高的保真度.由于在数据库中存储恶意"代码没有害处(实际上,它可以为您节省一些空间,因为转义的HTML比未转义的HTML更长!),将来您可能会想要该HTML(如果您在用户注释上使用XML解析器,或者某天让受信任的用户在其注释中包含HTML的子集,等等?怎么办?
您还询问了其他类型的输入验证(整数约束等).您的数据库模式应强制执行这些操作,并且还可以在应用程序层(最好是通过JS输入,然后再通过服务器端进行输入)检查它们.
另一方面,用PHP进行数据库转义的最佳方法可能是使用PDO,而不是直接调用mysql_real_escape_string. PDO具有更高级的功能,包括类型检查.
I am very confused over something and was wondering if someone could explain.
In PHP i validate user input so htmlentitiies, mysql_real_escape_string is used before inserting into database, not on everything as i do prefer to use regular expressions when i can although i find them hard to work with. Now obviously i will use mysql_real_escape_string as the data is going into the database but not sure should i be using htmlentities() only when getting data from database and displaying it on a webpage as doing so before hand is altering the data entered by a person which is not keeping it's original form which may cause problems if i want to use that data later on for use for something else.
So for example, i have a guestbook with 3 fields name, subject and message. Now obviously the fields can contain anything like malicious code in js tags basically anything, now what confuses me is let say i am a malicious person and i decided to use js tags and some malicous js code and submit the form, now basically i have malicious useless data in my database. Now by using htmlentities when outputting the malicious code to the webpage (guestbook) that is not a problem because htmlentities has converted it to it's safe equivalent but then at the same time i have useless malicious code in the database that i would rather not have.
So after saying all this my question is should i accept the fact that some data in the database maybe malicious, useless data and as long as i use htmlentities on output everything will be ok or should i be doing something else aswell?.
I read so many books saying about filtering data on receiving it and escaping it on outputting it so the original form is kept but they only ever give examples like ensuring a field is only an int using functions already built into php etc but i have never found anything in regards ensuring something like a guestbook where you want users to type anything they want but also how you would filter such data apart from mysql_real_escape_string() to ensure it does not break the DB query?
Could someone please finally close this confusion for me and tell me what i should be doing and what is best practice?
Thanks to anyone who can explain.
Cheers!
This is a long question, but I think what you're actually asking boils down to:
"Should I escape HTML before inserting it into my database, or when I go to display it?"
The generally accepted answer to this question is that you should escape the HTML (via htmlspecialchars) when you go to display it to the user, and not before putting it into the database.
The reason is this: a database stores data. What you are putting into it is what the user typed. When you call mysql_real_escape_string, it does not alter what is inserted into the database; it merely avoids interpreting the user's input as SQL statements. htmlspecialchars does the same thing for HTML; when you print the user's input, it will avoid having it interpreted as HTML. If you were to call htmlspecialchars before the insert, you are no longer being faithful.
You should always strive to have the maximum-fidelity representation you can get. Since storing the "malicious" code in your database does no harm (in fact, it saves you some space, since escaped HTML is longer than unescaped!), and you might in the future want that HTML (what if you use an XML parser on user comments, or some day let trusted users have a subset of HTML in their comments, or some such?), why not let it be?
You also ask a bit about other types of input validation (integer constraints, etc). Your database schema should enforce these, and they can also be checked at the application layer (preferably on input via JS and then again server side).
On another note, the best way to do database escaping with PHP is probably to use PDO, rather than calling mysql_real_escape_string directly. PDO has more advanced functionality, including type checking.
这篇关于验证用户输入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
