最好的方式来消毒/过滤来自用户的评论? [英] Best way to Sanitize / Filter Comments from users?
问题描述
如果(get_magic_quotes_gpc()){ 然后评论通过这个函数来清理数据... p> 在此之后,它使用准备语句直接进入数据库..
函数stripslashes_deep($ value)
{
$ value = is_array($ value)?pre>
array_map('stripslashes_deep',$ value):
stripslashes($ value);
返回$ value;
}
$ _POST = array_map('stripslashes_deep',$ _POST);
$ _GET = array_map('stripslashes_deep',$ _GET);
$ _COOKIE = array_map('stripslashes_deep',$ _COOKIE);
$ _REQUEST = array_map('stripslashes_deep',$ _REQUEST);
函数my_strip_tags($ str){
$ strs = explode('<',$ str);
$ res = $ strs [0];
($ i = 1; $ i< count($ strs); $ i ++)
{
if(!strpos($ strs [$ i],'>'))
$ res = $ res。'& lt;'。$ strs [$ i];
else
$ res = $ res。'<'。$ strs [$ i];
}
返回strip_tags($ res);
$ b
function add_comment($ comment,$ type,$ update_id,$ user_id){
$ query =INSERT INTO comment_updates(updateid ,userid,comment)VALUES(?,?,?);
if($ stmt = $ this-> conn-> prepare($ query)){
$ stmt-> bind_param('sss',$ update_id,$ user_id,$ comment);
$ stmt-> execute();
if($ this-> conn-> affected_rows == 1){
$ stmt-> close();
返回true;
$ b我只是想知道这是足够安全的,或者如果他们是任何其他更好的选择...谢谢 解决方案
不要编写自己的HTML清洁剂。您将创建XSS洞。
如果您要编写自己的,至少运行 ha.ckers.org xss smoketests
在这些测试之间, htmlpurifier过滤器比较,您应该能够清楚地了解html消毒是多么复杂 - 以及为什么您应该离开它的专业人士。
I am currently using this process to Sanitize/Filter comment entered by users ->
This one is used to strip slashes... and
if (get_magic_quotes_gpc()) {
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
$_POST = array_map('stripslashes_deep', $_POST);
$_GET = array_map('stripslashes_deep', $_GET);
$_COOKIE = array_map('stripslashes_deep', $_COOKIE);
$_REQUEST = array_map('stripslashes_deep', $_REQUEST);
}
Then the comment goes through this function to sanitize the data...
function my_strip_tags($str) {
$strs=explode('<',$str);
$res=$strs[0];
for($i=1;$i<count($strs);$i++)
{
if(!strpos($strs[$i],'>'))
$res = $res.'<'.$strs[$i];
else
$res = $res.'<'.$strs[$i];
}
return strip_tags($res);
}
After this it goes straight into the database using prepared statement..
function add_comment($comment,$type,$update_id,$user_id){
$query="INSERT INTO comment_updates (updateid,userid,comment) VALUES(?,?,?)";
if($stmt=$this->conn->prepare($query)) {
$stmt->bind_param('sss',$update_id,$user_id,$comment);
$stmt->execute();
if($this->conn->affected_rows==1){
$stmt->close();
return true;
}
}
}
I just wanted to know if this is secure enough or if their are any other better alternatives...Thanks
Don't write your own HTML sanitizer. You'll create XSS holes.
If you're going to write your own, at least run the ha.ckers.org xss smoketests against it
Between those tests, and the htmlpurifier comparison of filters, you should be able to get a good idea of just how complicated html sanitization is -- and why you should leave it to the pros.
这篇关于最好的方式来消毒/过滤来自用户的评论?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
