什么是最好的PHP输入消毒功能? [英] What are the best PHP input sanitizing functions?
问题描述
我对PHP /编程非常陌生,考虑到这一点,我正在想出一个函数,可以将所有的字符串传递给sanatize。因此,从它出来的字符串将是安全的数据库插入。但是,有太多的过滤功能,我不知道哪些我应该使用/需要。请帮我填一下空格:
$ b $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ );
$ string = htmlentities($ string);
等...
return $ string;
Stop!
你在这里犯了一个错误。哦,不,你已经选择了正确的PHP函数来使你的数据更安全一些。没关系。您的错误在于操作顺序,以及如何以及在哪里使用这些功能。
了解消毒和验证用户数据,用于存储的数据转义数据以及用于呈现的数据转义。
清理和验证用户数据
用户提交数据,你需要确保他们提供了你期望的东西。
清理和过滤
例如,如果您期望有一个数字,确保提交的数据是一个数字。您还可以将用户数据转换为其他类型。所有提交的内容最初都被视为一个字符串,所以将已知数字数据强制为一个整数或浮点数可以快速无痛地消毒。
自由格式文本字段和文字区域?你需要确保在这些领域没有任何意外。主要是,您需要确保不应该有任何HTML内容的字段不包含HTML。有两种方法可以解决这个问题。
首先,您可以尝试转义 HTML输入 htmlspecialchars 。您不应该使用 htmlentities 来中和HTML,因为它会第二,你可以尝试删除任何可能的HTML。 strip_tags 既简单又快捷。 HTML Purifier 做了更加彻底的工作,既去掉所有的HTML,也允许通过选择性的标签和属性的白名单。
现代PHP版本附带过滤器扩展 ,这提供了一个全面的方式来消毒用户输入。
验证
确保提交的数据没有意外的内容只是一半的工作。您还需要尝试确保所提交的数据包含实际可以使用的值。
如果您期望1到10之间的数字,您需要检查该值。如果您正在使用一个新的HTML5时代的数字输入与微调和步骤,确保提交的数据是符合步骤。
如果该数据来自应该是一个下拉菜单,确保提交的值是出现在菜单中的值。
满足其他需求的文本输入如何?例如,日期输入应该通过 strtotime 或 DateTime类。给定的日期应该在你期望的范围之间。那么电子邮件地址呢?前面提到的过滤器扩展名可以检查一个地址格式正确,但我是<一个href =https://github.com/dominicsayers/isemail =noreferrer> is_email库。
所有其他表单控件。有单选按钮?根据列表进行验证。有复选框?根据列表进行验证。有文件上传?确保文件是预期的类型,并将文件名视为未经过滤的用户数据。
每个现代浏览器都有一套完整的开发工具,使任何人操纵你的表单变得微不足道。 您的代码应该假定用户已经完全删除了表单内容的所有客户端限制!
转义存储数据
现在您已经确定您的数据是预期的格式,并且只包含期望值,您需要考虑将数据保存到存储中。
每一个数据存储机制都有一个确保数据正确转义和编码的具体方法。如果您正在构建SQL,那么在查询中传递数据的可接受方式是通过准备好的占位符语句。
在PHP中使用大多数SQL数据库的更好方法之一是 PDO扩展。它遵循准备声明的常见模式,绑定变量到语句,然后将语句和变量发送到服务器。如果您在这里有一个很好的面向MySQL的教程之前没有使用过PDO。
有些SQL数据库在PHP中有自己的特殊扩展,包括 SQL Server , PostgreSQL 和 SQLite 3 。每个扩展都准备了语句支持,这些语句支持与PDO以相同的准备绑定执行方式运行。有时您可能需要使用这些扩展来代替PDO来支持非标准的功能或行为。
MySQL也有自己的PHP扩展。事实上其中两个。您只想使用 mysqli 。旧的mysql扩展名已被弃用,不安全或理智在现代使用。
我个人不是mysqli的粉丝。在准备好的语句上执行变量绑定的方式是不灵活的,可能是一个痛苦的使用。如果您不使用SQL数据库来存储数据,请检查您正在使用的数据库接口的文档,以确定如何使用PDO。通过它安全地传递数据。
如果可能,请确保您的数据库以适当的格式存储您的数据。将数字存储在数字字段中。将日期存储在日期字段中。将货币存储在小数域中,而不是浮点域。阅读数据库提供的文档,了解如何正确存储不同的数据类型。
转义数据
每次向用户显示数据时,都必须确保数据安全地被转义,除非您知道它不应该被转义。
<发布HTML时,您几乎总是应该通过
htmlspecialchars 。事实上,你不应该这样做的唯一时候是当你知道用户提供了HTML,而且你知道它已经使用白名单清理了它。 有时您需要使用PHP生成一些Javascript。 Javascript没有像HTML一样的转义规则!通过PHP为用户提供的值提供给Javascript的安全方法是通过 json_encode 。
还有更多
数据验证还有很多细微之处。例如,字符集编码可能是一个巨大的陷阱。您的应用程序应遵循 UTF-8一直贯穿中列出的做法。当把字符串数据视为错误的字符集时,会出现假想的攻击。</ p>
之前我提到过浏览器调试工具。这些工具也可以用来操纵cookie数据。 Cookie应被视为不受信任的用户输入。
数据验证和转义只是Web应用程序安全性的一个方面。您应该让自己意识到 Web应用程序攻击方法,以便您可以构建防御他们。
I am very new to PHP/programming, with that in mind I am trying to come up with a function that I can pass all my strings through to sanatize. So that the string that comes out of it will be safe for database insertion. But there are so many filtering functions out there I am not sure which ones I should use/need. Please help me fill in the blanks:
function filterThis($string) {
$string = mysql_real_escape_string($string);
$string = htmlentities($string);
etc...
return $string;
}
Stop!
You're making a mistake here. Oh, no, you've picked the right PHP functions to make your data a bit safer. That's fine. Your mistake is in the order of operations, and how and where to use these functions.
It's important to understand the difference between sanitizing and validating user data, escaping data for storage, and escaping data for presentation.
Sanitizing and Validating User Data
When users submit data, you need to make sure that they've provided something you expect.
Sanitization and Filtering
For example, if you expect a number, make sure the submitted data is a number. You can also cast user data into other types. Everything submitted is initially treated like a string, so forcing known-numeric data into being an integer or float makes sanitization fast and painless.
What about free-form text fields and textareas? You need to make sure that there's nothing unexpected in those fields. Mainly, you need to make sure that fields that should not have any HTML content do not actually contain HTML. There are two ways you can deal with this problem.
First, you can try escaping HTML input with htmlspecialchars. You should not use htmlentities to neutralize HTML, as it will also perform encoding of accented and other characters that it thinks also need to be encoded.
Second, you can try removing any possible HTML. strip_tags is quick and easy, but also sloppy. HTML Purifier does a much more thorough job of both stripping out all HTML and also allowing a selective whitelist of tags and attributes through.
Modern PHP versions ship with the filter extension, which provides a comprehensive way to sanitize user input.
Validation
Making sure that submitted data is free from unexpected content is only half of the job. You also need to try and make sure that the data submitted contains values you can actually work with.
If you're expecting a number between 1 and 10, you need to check that value. If you're using one of those new fancy HTML5-era numeric inputs with a spinner and steps, make sure that the submitted data is in line with the step.
If that data came from what should be a drop-down menu, make sure that the submitted value is one that appeared in the menu.
What about text inputs that fulfill other needs? For example, date inputs should be validated through strtotime or the DateTime class. The given date should be between the ranges you expect. What about email addresses? The previously mentioned filter extension can check that an address is well-formed, though I'm a fan of the is_email library.
The same is true for all other form controls. Have radio buttons? Validate against the list. Have checkboxes? Validate against the list. Have a file upload? Make sure the file is of an expected type, and treat the filename like unfiltered user data.
Every modern browser comes with a complete set of developer tools built right in, which makes it trivial for anyone to manipulate your form. Your code should assume that the user has completely removed all client-side restrictions on form content!
Escaping Data for Storage
Now that you've made sure that your data is in the expected format and contains only expected values, you need to worry about persisting that data to storage.
Every single data storage mechanism has a specific way to make sure data is properly escaped and encoded. If you're building SQL, then the accepted way to pass data in queries is through prepared statements with placeholders.
One of the better ways to work with most SQL databases in PHP is the PDO extension. It follows the common pattern of preparing a statement, binding variables to the statement, then sending the statement and variables to the server. If you haven't worked with PDO before here's a pretty good MySQL-oriented tutorial.
Some SQL databases have their own specialty extensions in PHP, including SQL Server, PostgreSQL and SQLite 3. Each of those extensions has prepared statement support that operates in the same prepare-bind-execute fashion as PDO. Sometimes you may need to use these extensions instead of PDO to support non-standard features or behavior.
MySQL also has its own PHP extensions. Two of them, in fact. You only want to ever use the one called mysqli. The old "mysql" extension has been deprecated and is not safe or sane to use in the modern era.
I'm personally not a fan of mysqli. The way it performs variable binding on prepared statements is inflexible and can be a pain to use. When in doubt, use PDO instead.
If you are not using an SQL database to store your data, check the documentation for the database interface you're using to determine how to safely pass data through it.
When possible, make sure that your database stores your data in an appropriate format. Store numbers in numeric fields. Store dates in date fields. Store money in a decimal field, not a floating point field. Review the documentation provided by your database on how to properly store different data types.
Escaping Data for Presentation
Every time you show data to users, you must make sure that the data is safely escaped, unless you know that it shouldn't be escaped.
When emitting HTML, you should almost always pass any data that was originally user-supplied through htmlspecialchars. In fact, the only time you shouldn't do this is when you know that the user provided HTML, and that you know that it's already been sanitized it using a whitelist.
Sometimes you need to generate some Javascript using PHP. Javascript does not have the same escaping rules as HTML! A safe way to provide user-supplied values to Javascript via PHP is through json_encode.
And More
There are many more nuances to data validation.
For example, character set encoding can be a huge trap. Your application should follow the practices outlined in "UTF-8 all the way through". There are hypothetical attacks that can occur when you treat string data as the wrong character set.
Earlier I mentioned browser debug tools. These tools can also be used to manipulate cookie data. Cookies should be treated as untrusted user input.
Data validation and escaping are only one aspect of web application security. You should make yourself aware of web application attack methodologies so that you can build defenses against them.
这篇关于什么是最好的PHP输入消毒功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
