清理 PHP 变量，我是否过度使用它? [英] Sanitizing PHP Variables, am I overusing it?

问题描述

我使用 PHP 已经有一段时间了，我开始问自己是否养成了良好的习惯.

I've been working with PHP for some time and I began asking myself if I'm developing good habits.

其中之一是我认为过度使用 PHP 清理方法，例如，一个用户通过表单注册，我得到以下帖子变量:

One of these is what I belive consists of overusing PHP sanitizing methods, for example, one user registers through a form, and I get the following post variables:

$_POST['name']、$_POST['email'] 和 $_POST['captcha'].现在，我通常做的显然是清理我要放入 MySQL 的数据，但是在比较验证码时，我也清理它.

$_POST['name'], $_POST['email'] and $_POST['captcha']. Now, what I usually do is obviously sanitize the data I am going to place into MySQL, but when comparing the captcha, I also sanitize it.

因此，我相信我误解了 PHP 清理，我很好奇，除了使用它在 MySQL 中放置某些东西时，是否还有其他需要清理数据的情况(注意我知道还需要清理以防止 XSS 攻击).此外，我对几乎所有来自用户输入的变量进行消毒的习惯是坏习惯吗?

Therefore I belive I misunderstood PHP sanitizing, I'm curious, are there any other cases when you need to sanitize data except when using it to place something in MySQL (note I know sanitizing is also needed to prevent XSS attacks). And moreover, is my habit to sanitize almost every variable coming from user-input, a bad one ?

推荐答案

每当您将数据存储在某个地方时，如果该数据将被(毫无戒心的)用户读取/可用，那么您必须对其进行清理.因此，应该注意可能会改变用户体验(不一定只是数据库)的事情.通常，所有用户输入都被认为是不安全的，但您会在下一段中看到有些内容可能仍会被忽略，尽管我不建议这样做.

Whenever you store your data someplace, and if that data will be read/available to (unsuspecting) users, then you have to sanitize it. So something that could possibly change the user experience (not necessarily only the database) should be taken care of. Generally, all user input is considered unsafe, but you'll see in the next paragraph that some things might still be ignored, although I don't recommend it whatsoever.

仅在客户端发生的事情经过消毒只是为了更好的 UX(用户体验，考虑表单的 JS 验证 - 从安全的角度来看它是无用的，因为它很容易避免，但它可以帮助非恶意用户拥有更好地与网站互动)但基本上，它不会造成任何伤害，因为一旦会话关闭，数据(好或坏)就会丢失.您总是可以为自己销毁网页(在您的机器上)，但问题是何时有人可以为他人做.

Stuff that happens on the client only is sanitized just for a better UX (user experience, think about JS validation of the form - from the security standpoint it's useless because it's easily avoidable, but it helps non-malicious users to have a better interaction with the website) but basically, it can't do any harm because that data (good or bad) is lost as soon as the session is closed. You can always destroy a webpage for yourself (on your machine), but the problem is when someone can do it for others.

更直接地回答您的问题 - 不要担心做得过头.安全总比后悔好，代价通常不超过几毫秒.

To answer your question more directly - never worry about overdoing it. It's always better to be safe than sorry, and the cost is usually not more than a couple of milliseconds.

这篇关于清理 PHP 变量，我是否过度使用它?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！