什么是最安全的方式来添加html / css / js到mysql？ [英] What is the securest way to add html/css/js to mysql?

问题描述

我目前使用下面的PHP类将html，css和javascript代码存储到我的mysql数据库中。 （$ data）{

$ b

 函数过滤器（$ data）{
 $ data = trim（htmlentities（strip_tags（$ data）））; 
 
 if（get_magic_quotes_gpc（））
 $ data = stripslashes（$ data）; 
 $ data = strip_tags（$ data）; 
 
 $ data = mysql_real_escape_string（$ data）; 
 
 return $ data;} 
  

我真的好奇，是否足够安全地将HTML / CSS / JS代码存储在mysql数据库中？

技术上安全。这意味着，MySQL将保存文本，并将在不丢失任何数据的情况下再次返回。

Mysql在文本内容之间没有区别，所以它使得没有如果它是HTML，CSS，JS代码或你的朋友的最后一封电子邮件，它们的区别就在于它们之间的区别。

但是，如果稍后输出文本，应注意不要发生不需要的代码注入从MySQL中取出数据后。但是这与MySQL实际上没有关系。

为了让你的sql更安全，把数据库句柄传给 mysql_real_escape_string 或甚至更好地使用 MySQLi 和/或 PDO 并准备好您的代码 您的代码看起来像是在试图阻止某些事情，但在结束它变得很无用：
$ b $ pre $ 函数过滤器（$ data）{
$ data = trim（htmlentities（用strip_tags（$数据）））;

if（get_magic_quotes_gpc（））
$ data = stripslashes（$ data）;
$ data = strip_tags（$ data）;

$ data = mysql_real_escape_string（$ data）;

return $ data;}


在处理数据之前对数据进行规范化处理

首先，您应该更改 get_magic_quotes_gpc 的检查位置，以使函数正在处理的数据标准化。如果您的应用程序不依赖它，但是如果启用此选项则拒绝工作会更好 - 请参阅这里有关这个重要信息，如果你关心安全性的话。

但是为了您发布的代码的安全性，我们先将输入值标准化为函数之前进一步处理。这是通过将检查移动到函数的顶部来完成的。

pre $ 函数过滤器（$ data）
{
//归因于get_magic_quotes_gpc
$ dataNeedsStripSlashes = get_magic_quotes_gpc（）;
if（$ dataNeedsStripSlashes）
{
$ data = stripslashes（$ data）;
}

//由于开始和结束的空白，归一化$ data
$ data = trim（$ data）;

//带状标签
$ data = strip_tags（$ data）;

//将字符替换为HTML实体
$ data = htmlentities（$ data）;

// mysql转义字符串
$ data = mysql_real_escape_string（$ data）;

返回$ data;



$ b $ p
$ b

在这个修改过的函数中，魔术引号（你不应该使用）已被移到顶端。这确保了无论打开还是关闭该选项，数据总是会被处理。你的函数没有这样做，它会为传递的相同数据创建不同的结果。所以这个问题已经解决了。



更多功能问题

即使功能现在看起来更好，它仍然有很多问题。例如，目前尚不清楚该功能的功能。它一次执行许多操作，其中一些是矛盾的：

• 它删除标记为的HTML标记， $ data 不应包含HTML


• 但是，您将 $ data 的文本转换为实际包含HTML实体。

那么数据应该是什么？ HTML与否？如果事情变得不明确，它不会引入更多的安全性，因为这会给您的程序带来错误，最终甚至会传递您的安全防范措施。

所以你应该抛出如果输入到您的应用程序无效，请不要过滤它。
$ b <相反，防止进一步使用无效输入。因此，您需要一个函数来验证输入，然后再使用它。

不要仅仅因为您认为就更改数据，这可能会使安全性更高。相反，在需要和适当的地方改变和编码数据。

• 让您的应用程序只能使用魔术引号关闭。依靠这个功能是非常不鼓励的。然后，不需要在代码中检查所有内容。
  
• 为了安全地在数据库中存储某些内容，请先在查询中使用它，然后再转义数据。不在你的应用程序的其他地方。使用Prepared语句。


• 如果数据有效，则无需在数据库中加入数据。 但是，当您输出到网页时，您需要对其进行正确编码。只有一个应用程序确实知道这需要哪种编码。您将数据放入数据库时​​不知道。

所以如果你想让你的代码更安全，这不是把一堆函数扔到一些数据上，因为你认为这些是与安全有关的。通过这样做，您不会使软件更安全，但安全性更低。 不要信任用户数据

确保数据的格式符合您的需要在处理之前。

使用正确的工具

不要在猜测中使用工具。获取知识，不仅仅是安全的明智之举。

I'm currently using the following PHP class to store html, css and javascript code to my mysql database.

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
    $data = stripslashes($data);
    $data= strip_tags($data);

$data = mysql_real_escape_string($data);

return $data;}

I' really wondering if the used code is secure enough to store HTML / CSS / JS code in a mysql database?

解决方案

Yes, MySQL can store any type of text technically safely. Which means, MySQL will save the text as is and will return it again without loosing any data.

Mysql does not differ between the content of the text, so it makes no difference if it is HTML, CSS, JS code or your friends last email.

However if you output the text later on you should take care that there is no unwanted code injection after you've pulled the data from mysql. But that's not related to MySQL actually.

To make you sql more secure, pass the database handle to mysql_real_escape_string or even better use MySQLi and/or PDO and prepared statements.

Your code

Your code looks like you're trying a lot to prevent something, but in the end it turns out pretty useless:

function filter($data) {
$data = trim(htmlentities(strip_tags($data)));

if (get_magic_quotes_gpc())
    $data = stripslashes($data);
    $data= strip_tags($data);

$data = mysql_real_escape_string($data);

return $data;}

Normalize the data before you process it

First of all you should change the position of the check for get_magic_quotes_gpc to normalize the data the function is working on. It would be even better if your application would not rely on it but just denies working if that option is enabled - see this important information here about that if you care about security.

But for the safeness of your code posted, let's first normalize the input value to the function before processing it further. This is done by moving the check to the top of the function.

function filter($data)
{
   // normalize $data because of get_magic_quotes_gpc
   $dataNeedsStripSlashes = get_magic_quotes_gpc();
   if ($dataNeedsStripSlashes)
   {
     $data = stripslashes($data);
   }

   // normalize $data because of whitespace on beginning and end
   $data = trim($data);

   // strip tags
   $data = strip_tags($data);

   // replace characters with their HTML entitites
   $data = htmlentities($data);

   // mysql escape string    
   $data = mysql_real_escape_string($data);

   return $data;
 }

In this modified function, the magic quotes stuff (which you should not use) has been moved to the top of it. This ensures that regardless of that option is on or off, data will always be processed the same. Your function did not do so, it would have created different results for the same data passed. So this has been fixed.

More Problems with your function

Even the function looks better now, it still has many problems. For example, it's unclear what the function actually does. It does many things at once and some of them are contradictory:

• It removes HTML tags which is a sign that $data should not contain HTML
• But then you convert the text of $data to have actually contain HTML entities.

So what should the data be? HTML or not? It does not introduce more security if things become unclear because this will benefit that errors come into your program and in the end even pass your security precautions.

So you should just throw away the code and consider the following:

• If input to your application is invalid, don't filter it. Instead prevent further use of invalid input. So you need a function to validate input before you make use of it.
• Don't change data just because you think this might make something more secure. Instead change and encode data where it is needed and appropriate.
  • Make your application only work with magic quotes off. Relying on this feature is highly discouraged. And then there is no need to check for that all over in your code.
  • To store something safely within the database, escape the data prior using it in the query only. Not at some other place of your application. Use Prepared statements for that.
  • No need to wrangle the data before you put it into the database if it's valid. But you need to properly encode it when output it to the webpage. And only there an application does know in which encoding this needs to be. You do not know that when you put the data into the database.

So if you want to make your code more secure, this is not about throwing a bunch of functions onto some data because you think those are security related. By doing so you don't make your software more secure but less secure.

1. Never trust user data.
2. Ensure data is in the format you need it prior processing.
3. Use the right tool for the job at the right place.
4. Never use tools at guess. Get knowledge instead, that pays not only security wise.

这篇关于什么是最安全的方式来添加html / css / js到mysql？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！