如何使用 PHP 清理用户输入? [英] How can I sanitize user input with PHP?

问题描述

是否有一个包罗万象的功能可以很好地清理用户输入以应对 SQL 注入和 XSS 攻击，同时仍然允许某些类型的 HTML 标签?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

推荐答案

认为可以过滤用户输入是一个常见的误解.PHP 甚至有一个(现已弃用)功能"，称为 magic-quotes，建立在这个想法之上.这是胡说八道.忘记过滤(或清洁，或任何人们所说的).

It's a common misconception that user input can be filtered. PHP even has a (now deprecated) "feature", called magic-quotes, that builds on this idea. It's nonsense. Forget about filtering (or cleaning, or whatever people call it).

为了避免出现问题，您应该做的很简单:每当您将一段数据嵌入到外部代码中时，您必须根据该代码的格式规则来处理它.但您必须明白，这些规则可能过于复杂，无法手动全部遵循.例如，在 SQL 中，字符串、数字和标识符的规则都是不同的.为了您的方便，在大多数情况下，有一个专门的工具用于这种嵌入.例如，当您需要在 SQL 查询中使用 PHP 变量时，您必须使用准备好的语句，它将负责所有正确的格式/处理.

What you should do, to avoid problems, is quite simple: whenever you embed a a piece of data within a foreign code, you must treat it according to the formatting rules of that code. But you must understand that such rules could be too complicated to try to follow them all manually. For example, in SQL, rules for strings, numbers and identifiers are all different. For your convenience, in most cases there is a dedicated tool for such an embedding. For example, when you need to use a PHP variable in the SQL query, you have to use a prepared statement, that will take care of all the proper formatting/treatment.

另一个例子是 HTML:如果你在 HTML 标记中嵌入字符串，你必须用 htmlspecialchars.这意味着每个 echo 或 print 语句都应该使用 htmlspecialchars.

Another example is HTML: If you embed strings within HTML markup, you must escape it with htmlspecialchars. This means that every single echo or print statement should use htmlspecialchars.

第三个示例可能是 shell 命令:如果您要将字符串(例如参数)嵌入到外部命令中，并使用 exec，那么你必须使用 escapeshellcmd 和 escapeshellarg.

A third example could be shell commands: If you are going to embed strings (such as arguments) to external commands, and call them with exec, then you must use escapeshellcmd and escapeshellarg.

此外，一个非常引人注目的例子是 JSON.规则如此众多且复杂，您永远无法手动全部遵守.这就是为什么您永远不应该手动创建 JSON 字符串，而应始终使用专用函数 json_encode() 将正确格式化每一位数据.

Also, a very compelling example is JSON. The rules are so numerous and complicated that you would never be able to follow them all manually. That's why you should never ever create a JSON string manually, but always use a dedicated function, json_encode() that will correctly format every bit of data.

等等……

您需要主动过滤数据的唯一情况是您接受预格式化的输入.例如，如果您让您的用户发布 HTML 标记，您打算在网站上显示这些标记.但是，您应该明智地不惜一切代价避免这种情况，因为无论您过滤得多么好，它始终是一个潜在的安全漏洞.

The only case where you need to actively filter data, is if you're accepting preformatted input. For example, if you let your users post HTML markup, that you plan to display on the site. However, you should be wise to avoid this at all cost, since no matter how well you filter it, it will always be a potential security hole.

这篇关于如何使用 PHP 清理用户输入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！