转义变量 [英] Escaping variables
问题描述
我已经阅读了,足够,甚至建议在输出上转义字符,而不是输入。
I've read that it's enough and even recommended to escape characters on the output, not on the input.
它可以很容易地应用于所有获取变量它们不会从表单级别注入数据库。
It could be easily applied to all get variables as they are not injected to the database from the form level.
但是,我不知道如何处理所有的post变量。如果不是来自数据库,那么如果是原始输入数据,则完全需要转义。但是我使用PDO prepare / execute来转义所有的变量。现在问题:
However, I'm not sure what to do with all post variables. If it doesn't come from the database, so if it's a raw input data, escaping is fully needed. But I'm using PDO prepare/execute to escape all variables. Questions now:
- 在选择和插入语句中使用PDO的准备/执行是否可行?不是两次转义变量?
- 让我们通过PDO exeute语句获得一些变量 - 是否可以简单地用$ _POST ['variable']显示此变量而不转义它如果已经在PDO函数中完成了)?
- htmlspecialchars()是否足以避免诸如GET数据库之类的数据库不可用的变量?
最重要的是 - 所有这一切,PDO准备/执行和htmlspecialchars(),足以防止所有XSS攻击?还是我还要做更多?如果是这样,那应该是什么?从输入中删除所有html标签?使用BB代码?
And the most important - is all of this, PDO prepare/execute, and htmlspecialchars(), enough to prevent all XSS attacks? Or should I also do more? If so, what should this be? Removing all html tags from the input? Using BB-Code instead?
推荐答案
我已经阅读了足够,甚至建议逃脱字符
在输出上,而不是输入。
I've read that it's enough and even recommended to escape characters on the output, not on the input.
通常,您要:
- 验证输入并使用准备好的语句存储它。准备的语句将保护您的数据库免受SQL注入。通常,您不希望在输入上删除HTML标签,因为这样做可能会导致数据完整性的损失。
- 显示用户生成的数据时(输出),您可以使用htmlentities和mb_convert_encoding的组合来防范XSS。
- Validate input and store it using prepared statements. Prepared statements will protect your database against SQL injections. Typically, you don't want to strip out HTML tags on input because doing so could lead to a loss of data integrity.
- When displaying user-generated data (output), you can guard against XSS by using a combination of htmlentities and mb_convert_encoding.
注意 htmlspecialchars 函数从另一个问题:
即使您在HTML标签之外使用htmlspecialchars($ string),您
仍然容易受到多字节字符集攻击向量的困扰。
Even if you use htmlspecialchars($string) outside of HTML tags, you are still vulnerable to multi-byte charset attack vectors.
最有效的是使用
mb_convert_encoding 和 htm未成年人如下。
The most effective you can be is to use the a combination of mb_convert_encoding and htmlentities as follows.
$str = mb_convert_encoding($str, ‘UTF-8′, ‘UTF-8′);
$str = htmlentities($str, ENT_QUOTES, ‘UTF-8′);
这篇关于转义变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
