SQL 注入和 Codeigniter [英] SQL Injection and Codeigniter
问题描述
关于 Codeigniter 及其输入处理能力的一些疑问.有些可能有点奇怪,但他们仍然怀疑.
Some doubts regarding Codeigniter and its Input handling capabilities. Some may be a little weird but they are doubts none-the-less.
- 如果我在 CodeIgniter 中使用 Active Record 类函数,我的输入是否被阻止SQL注入?
- 我在某处读到它确实如此,但我不明白它是如何做到的?或者为什么?
- xssclean 是否也以任何方式处理 SQL 注入?
- If I use the Active Record Class functions in CodeIgniter, is my input prevented against SQL injection?
- I read somewhere that it does, but I don't understand it how? or why?
- Also does xssclean deal with SQL injection in any way?
推荐答案
我的输入是否可以防止 SQL 注入?
is my input prevented against SQL injection?
不完全是自动",但它确实提供了参数化查询.无论是否使用 CodeIgniter,您都应该尽可能优先使用参数化查询而不是查询字符串黑客.
Not exactly ‘automatically’, but it does provide parameterised queries. CodeIgniter or no, you should use parameterised queries in preference to query string hacking whenever possible.
$bof= "a'b";
$zot= 'a';
// Insecure! Don't do this!
//
$this->db->query("SELECT foo FROM bar WHERE bof='$bof' AND zot='$zot'");
// Secure but annoying to write
//
$this->db->query("SELECT foo FROM bar WHERE bof='".$this->db->escape($bof)."' AND zot='".$this->db->escape($zot)."'");
// This is what you want
//
$this->db->query('SELECT foo FROM bar WHERE bof=? AND zot=?', array($bof, $zot));
请注意,这与输入"无关:当您从字符串进行 SQL 查询时,必须使用参数化或转义使它们适合,无论它们是否是用户输入.这是一个简单的正确性问题;安全性是这种正确性的副作用.
Note this is nothing to do with ‘input’: when you make an SQL query from strings you must use parameterisation or escaping to make them fit, regardless of whether they're user input or not. This is a matter of simple correctness; security is a side-effect of that correctness.
类似的,当你将文本输出成HTML时,你需要对其中的<、&和"字符进行HTML编码then.如果您碰巧在没有在 SQL 或 HTML 中转义的情况下使用它们来转义或删除将来可能会带来麻烦的字符,那么尝试摆弄输入以转义或删除这些字符是绝对没有用的.您将破坏您的输出在 HTML 中有意外的 SQL 转义(这就是为什么您会在写得不好的应用程序中看到自乘反斜杠)和在 SQL 中出现不需要的 HTML 转义.并且您是否应该从用户直接输入以外的其他地方获取文本(例如,材料已经在数据库)你根本没有受到保护.
Similarly when you output text into HTML, you need to HTML-encode <, & and " characters in it then. It is absolutely no use trying to fiddle with the input to escape or remove characters that might be troublesome in the future if you happen to use them without escaping in SQL or HTML. You'll mangle your output by having unexpected SQL-escaping in HTML (which is why you see self-multiplying backslashes in badly-written apps) and unwanted HTML-escaping in SQL. And should you take text from somewhere other than that direct user input (say, material already in the database) you aren't protected at all.
xssclean 是否也以任何方式处理 SQL 注入?
Also does xssclean deal with SQL injection in any way?
没有.它的目标是 HTML 注入.但它比毫无价值更糟糕.永远不要使用它.
No. It's aimed at HTML injection. But it's worse than worthless. Never use it.
XSS 过滤"完全是假的(同样,CodeIgniter 或其他任何人的).XSS 需要通过正确的 HTML 转义输出来防止,而不是修改输入.如果您的应用程序尚不安全,XSS 过滤将不能充分保护您;充其量它会混淆你现有的缺陷并给你一种错误的安全感.它还会破坏很多 CI 认为看起来像标签的有效输入.
"XSS filtering" is completely bogus (again, CodeIgniter's or anyone else's). XSS needs to be prevented by correctly HTML-escaping output, not mangling input. XSS filtering will not adequately protect you if your application is not already secure; at best it will obfuscate your existing flaws and give you a false sense of security. It will also mangle a lot of valid input that CI thinks looks like tags.
这篇关于SQL 注入和 Codeigniter的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
