什么是最安全的方式来添加html / css / js到mysql? [英] What is the securest way to add html/css/js to mysql?
问题描述
我目前使用下面的PHP类将html,css和javascript代码存储到我的mysql数据库中。 ($ data){
$ b
函数过滤器($ data){
$ data = trim(htmlentities(strip_tags($ data)));
if(get_magic_quotes_gpc())
$ data = stripslashes($ data);
$ data = strip_tags($ data);
$ data = mysql_real_escape_string($ data);
return $ data;}
我真的好奇,是否足够安全地将HTML / CSS / JS代码存储在mysql数据库中?
技术上安全。这意味着,MySQL将保存文本,并将在不丢失任何数据的情况下再次返回。Mysql在文本内容之间没有区别,所以它使得没有如果它是HTML,CSS,JS代码或你的朋友的最后一封电子邮件,它们的区别就在于它们之间的区别。
但是,如果稍后输出文本,应注意不要发生不需要的代码注入从MySQL中取出数据后。但是这与MySQL实际上没有关系。
为了让你的sql更安全,把数据库句柄传给 mysql_real_escape_string
或甚至更好地使用 MySQLi 和/或 PDO 并准备好您的代码 您的代码看起来像是在试图阻止某些事情,但在结束它变得很无用:
$ b $ pre $ 函数过滤器($ data){
$ data = trim(htmlentities(用strip_tags($数据)));
if(get_magic_quotes_gpc())
$ data = stripslashes($ data);
$ data = strip_tags($ data);
$ data = mysql_real_escape_string($ data);
return $ data;}
在处理数据之前对数据进行规范化处理
首先,您应该更改 get_magic_quotes_gpc
的检查位置,以使函数正在处理的数据标准化。如果您的应用程序不依赖它,但是如果启用此选项则拒绝工作会更好 - 请参阅这里有关这个重要信息,如果你关心安全性的话。
但是为了您发布的代码的安全性,我们先将输入值标准化为函数之前进一步处理。这是通过将检查移动到函数的顶部来完成的。 在这个修改过的函数中,魔术引号(你不应该使用)已被移到顶端。这确保了无论打开还是关闭该选项,数据总是会被处理。你的函数没有这样做,它会为传递的相同数据创建不同的结果。所以这个问题已经解决了。 即使功能现在看起来更好,它仍然有很多问题。例如,目前尚不清楚该功能的功能。它一次执行许多操作,其中一些是矛盾的: 那么数据应该是什么? HTML与否?如果事情变得不明确,它不会引入更多的安全性,因为这会给您的程序带来错误,最终甚至会传递您的安全防范措施。 所以你应该抛出如果输入到您的应用程序无效,请不要过滤它。 所以如果你想让你的代码更安全,这不是把一堆函数扔到一些数据上,因为你认为这些是与安全有关的。通过这样做,您不会使软件更安全,但安全性更低。 不要信任用户数据 I'm currently using the following PHP class to store html, css and javascript code to my mysql database. I' really wondering if the used code is secure enough to store HTML / CSS / JS code in a mysql database? Yes, MySQL can store any type of text technically safely. Which means, MySQL will save the text as is and will return it again without loosing any data. Mysql does not differ between the content of the text, so it makes no difference if it is HTML, CSS, JS code or your friends last email. However if you output the text later on you should take care that there is no unwanted code injection after you've pulled the data from mysql. But that's not related to MySQL actually. To make you sql more secure, pass the database handle to Your code looks like you're trying a lot to prevent something, but in the end it turns out pretty useless:
First of all you should change the position of the check for But for the safeness of your code posted, let's first normalize the input value to the function before processing it further. This is done by moving the check to the top of the function. In this modified function, the magic quotes stuff (which you should not use) has been moved to the top of it. This ensures that regardless of that option is on or off, data will always be processed the same. Your function did not do so, it would have created different results for the same data passed. So this has been fixed. Even the function looks better now, it still has many problems. For example, it's unclear what the function actually does. It does many things at once and some of them are contradictory: So what should the data be? HTML or not? It does not introduce more security if things become unclear because this will benefit that errors come into your program and in the end even pass your security precautions. So you should just throw away the code and consider the following: So if you want to make your code more secure, this is not about throwing a bunch of functions onto some data because you think those are security related. By doing so you don't make your software more secure but less secure.
这篇关于什么是最安全的方式来添加html / css / js到mysql?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
pre $ 函数过滤器($ data)
{
//归因于get_magic_quotes_gpc
$ dataNeedsStripSlashes = get_magic_quotes_gpc();
if($ dataNeedsStripSlashes)
{
$ data = stripslashes($ data);
}
//由于开始和结束的空白,归一化$ data
$ data = trim($ data);
//带状标签
$ data = strip_tags($ data);
//将字符替换为HTML实体
$ data = htmlentities($ data);
// mysql转义字符串
$ data = mysql_real_escape_string($ data);
返回$ data;
$ b $ p
$ b
更多功能问题
的HTML标记, $ data
不应包含HTML
$ data
的文本转换为实际包含HTML实体。
$ b <相反,防止进一步使用无效输入。因此,您需要一个函数来验证输入,然后再使用它。
function filter($data) {
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data= strip_tags($data);
$data = mysql_real_escape_string($data);
return $data;}
mysql_real_escape_string
or even better use MySQLi and/or PDO and prepared statements.Your code
function filter($data) {
$data = trim(htmlentities(strip_tags($data)));
if (get_magic_quotes_gpc())
$data = stripslashes($data);
$data= strip_tags($data);
$data = mysql_real_escape_string($data);
return $data;}
Normalize the data before you process it
get_magic_quotes_gpc
to normalize the data the function is working on. It would be even better if your application would not rely on it but just denies working if that option is enabled - see this important information here about that if you care about security.function filter($data)
{
// normalize $data because of get_magic_quotes_gpc
$dataNeedsStripSlashes = get_magic_quotes_gpc();
if ($dataNeedsStripSlashes)
{
$data = stripslashes($data);
}
// normalize $data because of whitespace on beginning and end
$data = trim($data);
// strip tags
$data = strip_tags($data);
// replace characters with their HTML entitites
$data = htmlentities($data);
// mysql escape string
$data = mysql_real_escape_string($data);
return $data;
}
More Problems with your function
$data
should not contain HTML$data
to have actually contain HTML entities.