PHP用户输入数据的安全性 [英] PHP user input data security
问题描述
我试图找出在输入数据以及输出数据时在不同情况下最适合使用的功能.
当我允许用户将数据输入到MySQL中时,什么是保护数据安全的最佳方法,以防止SQL注入以及其他人可能尝试的任何其他类型的注入或黑客攻击?
当我从数据库中将数据输出为常规html时,什么是最好的方式来使脚本等无法运行?
目前,我基本上只使用
mysql_real_escape_string();
在将数据输入数据库之前,这似乎可以正常工作,但是我想知道这是否是我需要做的,或者是否有其他更好的方法.
此刻我使用
stripslashes(nl2br(htmlentities()))
(无论如何,大部分时间)用于输出数据.我发现这些功能可以正常使用,但是我遇到了htmlentities问题,我希望能够分别输出一些html标签,例如:
<ul></ul><li></li><bold></bold>
等等,但我不能.
任何帮助都很好,谢谢.
我同意mikikg的观点,您需要先了解SQL注入和XSS漏洞,然后才能尝试保护应用程序免受此类问题的侵害.
但是,我不同意他的主张,即使用正则表达式来验证用户输入是否是SQL注入阻止程序.是的,请尽您所能验证用户输入.但是不要依靠它来阻止注入,因为黑客经常破坏此类过滤器.另外,对过滤器也不要太严格-许多网站都不允许我登录,因为我的名字中有一个撇号,然后告诉您,这种情况发生时,a **让人感到痛苦. /p>
您在问题中提到了两种安全问题.第一个是SQL注入.此漏洞是已解决的问题".也就是说,如果您使用参数化查询,并且从不将用户提供的数据作为参数传递给其他人,那么无论发生什么情况,数据库都将为您做正确的事".对于许多数据库,如果使用参数化查询,则没有注入的机会,因为数据实际上并未真正嵌入SQL中发送-数据以不带前缀或类似blob的长度沿导线传递.这比数据库转义功能的性能要好得多,并且可以更安全. (注意:如果您使用在数据库上生成动态SQL的存储过程,它们可能还会出现注入问题!)
您提到的第二个问题是跨站点脚本问题.如果要允许用户提供HTML,而无需实体先将其转义,则此问题是一个开放的研究问题.可以说,如果允许用户传递某些类型的HTML,则您的系统很可能在某个时候遭受了确定的攻击者的XSS问题.现在,解决此问题的最新技术是使用 HTMLPurifier 之类的库来过滤"服务器上的数据.攻击者可以并且确实会定期破坏这些过滤器;但是到目前为止,还没有人找到一种更好的方法来保护应用程序免受此类情况的侵害.您最好只允许特定的HTML标签白名单,并允许实体编码其他内容.
I am trying to figure out which functions are best to use in different cases when inputting data, as well as outputting data.
When I allow a user to input data into MySQL what is the best way to secure the data to prevent SQL injections and or any other type of injections or hacks someone could attempt?
When I output the data as regular html from the database what is the best way to do this so scripts and such cannot be run?
At the moment I basically only use
mysql_real_escape_string();
before inputting the data to the database, this seems to work fine, but I would like to know if this is all I need to do, or if some other method is better.
And at the moment I use
stripslashes(nl2br(htmlentities()))
(most of the time anyways) for outputting data. I find these work fine for what I usually use them for, however I have run into a problem with htmlentities, I want to be able to have some html tags output respectively, for example:
<ul></ul><li></li><bold></bold>
etc, but I can't.
any help would be great, thanks.
I agree with mikikg that you need to understand SQL injection and XSS vulnerabilities before you can try to secure applications against these types of problems.
However, I disagree with his assertions to use regular expressions to validate user input as a SQL injection preventer. Yes, do validate user input insofar as you can. But don't rely on this to prevent injections, because hackers break these kinds of filters quite often. Also, don't be too strict with your filters -- plenty of websites won't let me log in because there's an apostrophe in my name, and let me tell you, it's a pain in the a** when this happens.
There are two kinds of security problems you mention in your question. The first is a SQL injection. This vulnerability is a "solved problem." That is, if you use parameterized queries, and never pass user supplied data in as anything but a parameter, the database is going to do the "right thing" for you, no matter what happens. For many databases, if you use parameterized queries, there's no chance of injection because the data isn't actually sent embedded in the SQL -- the data is passed unescaped in a length prefixed or similar blob along the wire. This is considerably more performant than database escape functions, and can be safer. (Note: if you use stored procedures that generate dynamic SQL on the database, they might also have injection problems!)
The second problem you mention is the cross site scripting problem. If you want to allow the user to supply HTML without entity escaping it first, this problem is an open research question. Suffice to say that if you allow the user to pass some kinds of HTML, it's entirely likely that your system will suffer an XSS problem at some point to a determined attacker. Now, the state of the art for this problem is to "filter" the data on the server, using libraries like HTMLPurifier. Attackers can and do break these filters on a regular basis; but as of yet nobody has found a better way of protecting the application from these kinds of things. You may be better off only allowing a specific whitelist of HTML tags, and entity encoding anything else.
这篇关于PHP用户输入数据的安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
