阻止XSS和SQL注入就像这样简单 [英] Is preventing XSS and SQL Injection as easy as does this
问题描述
strip_tags 来防止 XSS (跨网站脚本)并在任何显示的输出中运行 htmlspecialchars ,并通过使用PHP PDO预处理语句防止 SQL注入?下面是一个例子:
// INPUT:输入一个人喜欢的颜色并保存到数据库$ b $
//帮助阻止XSS(通过使用strip_tags)
$ sql ='INSERT INTO TABLE favorite(person_name,color)VALUES(? ?);
$ sth = $ conn-> prepare($ sql);
$ sth-> execute(array(strip_tags($ _ POST ['person_name']),strip_tags($ _ POST ['color'])));
//输出:从数据库输出一个喜欢的颜色
//当显示
$ sql ='SELECT时,这应该阻止XSS(通过使用htmlspecialchars)颜色FROM favorite WHERE person_name =?';
$ sth = $ conn-> prepare($ sql);
$ sth-> execute(array(strip_tags($ _ POST ['person_name'])));
$ sth-> setFetchMode(PDO :: FETCH_BOTH);
while($ color = $ sth-> fetch()){
echo htmlspecialchars($ color,ENT_QUOTES,'UTF-8');
}
用户控制输入上的 htmlspecialchars()(带引号样式和字符集)就足够了。如果您已经想要在处理/保存到数据库之前清理数据,那么 strip_tags()仅适用于现实世界中通常不使用的数据。 HTML代码不会损害PHP源代码,但如果您在未经过清理的用户控制输入或那种恶意内容上使用 eval(),PHP代码可能会这样做。
然而,这并不能帮助您从 SQL注入,但这是另一回事。
更新:从请求中获取 clean 用户输入为避免用户控制输入中的魔术引号,您可以使用以下函数:
函数get_string($ array,$ index,$ default = null){
if(isset($ array [$ index] )&& strlen($ value = trim($ array [$ index]))> 0){
return get_magic_quotes_gpc()? stripslashes($ value):$ value;
} else {
return $ default;
可用于:
$ username = get_string($ _ POST,username);
$ password = get_string($ _ POST,password);
(您可以对 get_number 进行类似的操作, get_boolean , get_array ,等等)
SQL查询以避免 SQL注入,请执行以下操作:
$ sql = sprintf(
SELECT id FROM user WHERE username ='%s'AND password = MD5('%s'),
mysql_real_escape_string($ user),
mysql_real_escape_string($ password)
);
要显示用户控制的输入以避免XSS,请执行以下操作:
echo htmlspecialchars($ data,ENT_QUOTES,'UTF-8');
Question: Is preventing XSS (cross-site scripting) as simple using strip_tags on any saved input fields and running htmlspecialchars on any displayed output ... and preventing SQL Injection by using PHP PDO prepared statements?
Here's an example:
// INPUT: Input a persons favorite color and save to database
// this should prevent SQL injection ( by using prepared statement)
// and help prevent XSS (by using strip_tags)
$sql = 'INSERT INTO TABLE favorite (person_name, color) VALUES (?,?)';
$sth = $conn->prepare($sql);
$sth->execute(array(strip_tags($_POST['person_name']), strip_tags($_POST['color'])));
// OUTPUT: Output a persons favorite color from the database
// this should prevent XSS (by using htmlspecialchars) when displaying
$sql = 'SELECT color FROM favorite WHERE person_name = ?';
$sth = $conn->prepare($sql);
$sth->execute(array(strip_tags($_POST['person_name'])));
$sth->setFetchMode(PDO::FETCH_BOTH);
while($color = $sth->fetch()){
echo htmlspecialchars($color, ENT_QUOTES, 'UTF-8');
}
It's even more simple. Just htmlspecialchars() (with quote style and character set) on user-controlled input is enough. The strip_tags() is only useful if you already want to sanitize data prior to processing/save in database, which is often not used in real world. HTML code doesn't harm in PHP source, but PHP code may do so if you use eval() on non-sanitized user-controlled input or that kind of evil stuff.
This however doesn't save you from SQL injections, but that's another story.
Update: to get clean user input from the request to avoid magic quotes in user-controlled input, you can use the following function:
function get_string($array, $index, $default = null) {
if (isset($array[$index]) && strlen($value = trim($array[$index])) > 0) {
return get_magic_quotes_gpc() ? stripslashes($value) : $value;
} else {
return $default;
}
}
which can be used as:
$username = get_string($_POST, "username");
$password = get_string($_POST, "password");
(you can do simliar for get_number, get_boolean, get_array, etc)
To prepare the SQL query to avoid SQL injections, do:
$sql = sprintf(
"SELECT id FROM user WHERE username = '%s' AND password = MD5('%s')",
mysql_real_escape_string($user),
mysql_real_escape_string($password)
);
To display user-controlled input to avoid XSS, do:
echo htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
这篇关于阻止XSS和SQL注入就像这样简单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
