防御 mysql 注入和跨站点脚本的最佳方法 [英] Best way to defend against mysql injection and cross site scripting
问题描述
目前,我采用了把所有东西都扔在墙上,看看有什么用"的方法来阻止上述问题.下面是我拼凑的函数:
At the moment, I apply a 'throw everything at the wall and see what sticks' method of stopping the aforementioned issues. Below is the function I have cobbled together:
function madSafety($string)
{
$string = mysql_real_escape_string($string);
$string = stripslashes($string);
$string = strip_tags($string);
return $string;
}
但是,我相信有更好的方法可以做到这一点.我正在使用 FILTER_SANITIZE_STRING,这似乎并不完全安全.
However, I am convinced that there is a better way to do this. I am using FILTER_ SANITIZE_STRING and this doesn't appear to to totally secure.
我想我是在问,你们采用了哪些方法以及它们有多成功?谢谢
I guess I am asking, which methods do you guys employ and how successful are they? Thanks
推荐答案
只是做了很多你并不真正理解的东西,并不会帮助你.您需要了解什么是注入攻击,以及您应该如何以及在何处执行哪些操作.
Just doing a lot of stuff that you don't really understand, is not going to help you. You need to understand what injection attacks are and exactly how and where you should do what.
要点:
- 禁用魔术引号.它们是一个不适当的解决方案,并且它们混淆了问题.
- 切勿在 SQL 中直接嵌入字符串.使用绑定参数,或转义(使用
mysql_real_escape_string
). - 不要在从数据库中检索数据时取消转义(例如
stripslashes
). - 当您在 html 中嵌入字符串时(例如,当您
echo
时),您应该默认对字符串进行转义(使用htmlentities
和ENT_QUOTES
). - 如果需要在html中嵌入html-strings,必须考虑字符串的来源.如果它不受信任,您应该通过过滤器将其通过管道传输.
strip_tags
理论上是你应该使用的,但它有缺陷;改用 HtmlPurifier.
- Disable magic quotes. They are an inadequate solution, and they confuse matters.
- Never embed strings directly in SQL. Use bound parameters, or escape (using
mysql_real_escape_string
). - Don't unescape (eg.
stripslashes
) when you retrieve data from the database. - When you embed strings in html (Eg. when you
echo
), you should default to escape the string (Usinghtmlentities
withENT_QUOTES
). - If you need to embed html-strings in html, you must consider the source of the string. If it's untrusted, you should pipe it through a filter.
strip_tags
is in theory what you should use, but it's flawed; Use HtmlPurifier instead.
这篇关于防御 mysql 注入和跨站点脚本的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!