如何在 Zend Framework 中编写的应用程序中防止 SQL 注入攻击? [英] How to prevent SQL Injection attack in applications programmed in Zend Framework?
问题描述
我对采埃孚安全没有任何概念.对数据库进行操作时是否必须使用过滤器?也许绑定就足够了?这个怎么样:
$users->update($data, 'id=1');$data 数组应该以某种方式过滤吗?随意写下您对此问题的任何了解.
您能否提供一些关于 ZF 安全性(主要是 SQL 注入和 XSS)的好文章的链接?
简短回答
尽管 ZF 采取并提供了一些措施来保护您的应用程序,但您仍应采取与不使用 Zend Framework 时相同的预防措施.
关于您的代码片段,请查看关于 参考指南中的 Zend_Db:
<块引用>默认情况下,数据数组中的值是使用参数插入的.这降低了某些类型的安全问题的风险.您不需要对数据数组中的值应用转义或引用.
这并不意味着您不必担心安全问题.例如,对于 更新方法以上
<块引用>第三个参数是一个包含 SQL 表达式的字符串,该表达式用作行更改的条件.此参数中的值和标识符未引用或转义.您有责任确保将任何动态内容安全地插入到此字符串中.请参阅引用值和标识符 获取帮助您执行此操作的方法.
注意,因为您使用的是 Zend_Db_Table 显然,第三个参数是第二个参数.在内部,表实例会将调用委托给数据库适配器,第一个参数是表实例的表名.
关于 Zend_View 和 XSS 攻击向量:<块引用>
Zend_View 带有一组初始辅助类,其中大部分与表单元素生成相关并自动执行适当的输出转义.
再次其中大部分并不代表全部.Zend_View 确实提供了 Zend_View::escape() 帮助您清理输出,但这没什么特别的.
I don't have any concept about ZF safety. Do I have to use Filter when operating on database? Maybe binding is enough ? How about this:
$users->update($data, 'id=1');
Should $data array be filtered somehow ? Feel free to write anything you know about the issue.
Could you give some links to good articles about safety in ZF (mainly about SQL Injection and XSS)?
Short answer
While ZF takes and provides some measures to secure your app, you should still apply the same precautions that you'd use without Zend Framework.
Regarding your code snippet, check out the Chapter on Zend_Db in the Reference Guide:
By default, the values in your data array are inserted using parameters. This reduces risk of some types of security issues. You don't need to apply escaping or quoting to values in the data array.
This doesn't mean you don't have to bother about security. For instance, for the Update method above
The third argument is a string containing an SQL expression that is used as criteria for the rows to change. The values and identifiers in this argument are not quoted or escaped. You are responsible for ensuring that any dynamic content is interpolated into this string safely. See Quoting Values and Identifiers for methods to help you do this.
Note since you are using Zend_Db_Table obviously, third argument is second argument. Internally, the table instance will delegate the call to the db adapter with the first param being the table instance's tablename.
Regarding Zend_View and XSS attack vectors:
Zend_View comes with an initial set of helper classes, most of which relate to form element generation and perform the appropriate output escaping automatically.
Again most of which does not mean all. Zend_View does provide Zend_View::escape() to help you sanitize output, but this nothing special.
这篇关于如何在 Zend Framework 中编写的应用程序中防止 SQL 注入攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
