数据过滤，卫生和验证HTML允许的输入 [英] Data filtering, sanitation, and validation for HTML-allowed inputs

问题描述

我发现很多关于消毒，过滤和验证表单的信息，例如电子邮件，电话号码，地址等。但是，您的应用程序的安全性与您最薄弱的环节一样强大。如果你的表单还包含一个大的textarea，可以说，你希望你的用户能够编写灵活的，可读的HTML条目？

例如，当您提问或提交答案时，StackOverflow上的这个textarea允许您格式化文本，包括链接，图片等。堆栈溢出获取用户的输入，将其放入数据库，然后显示在网络上：图片，链接和全部。这意味着他们必须允许html标签，特殊字符等。他们如何以及如何确保没有将恶意内容放入我的数据库中？

具体而言，以下是我添加的安全性实现到我的Web应用程序：

1. 处理动态数据库输入时的PDO预处理语句
   
2. （如果有人获得控制权，他们只能更新，插入或选择）


3. 客户端验证（几乎没用
   
4. 使用POST而不是GET


5. 关闭error_display，所以恶意用户无法探测

我知道最好的做法是使用服务器端验证过滤和验证POST []，但这样做会限制我的用户可以提交。例如，过滤掉所有html标签将禁用链接，图像和格式。输出过滤与htmlentities相同的问题。也许有一种更细致的方式来做到这一点？

我还能做些什么来确保这一点？

我应该补充：在显示任何输出前，将会有一个审核流程。每个用户条目在被允许放入网站之前都会有一双眼睛看着它。这需要处理输出过滤，但输入过滤仍然是一个问题。

解决方案

使用动态数据库输入时的PDO准备好的语句

正确

限制我的制作网站的数据库访问权限较少的用户（所以如果有人获得控制权，他们只能更新，插入或选择）

无用

客户端验证

无用

使用POST，而非GET

无关

将error_display关闭，因此恶意用户无法探测到

正确

您的列表中没有任何项目关于HTML问题。如果你想允许格式化输入，你必须使用BB代码或HTML净化器或类似的东西。

I've found a lot of info on sanitizing, filtering, and validating forms when it comes to simple inputs like email, phone numbers, addresses, etc.

But the security of your app is only as strong as your weakest link. What if your form also includes a large textarea, lets say, that you want your users to be able to write flexible, html readable entries?

For example this textarea on StackOverflow allows you to format text, include links, pictures, etc when you are asking a question or submitting an answer. Stack overflow takes user's inputs, put it into their database, then display it on the web: pictures, links, and all. Which means they have to allow html tags, special characters, and the like. How do they, and how can I, make sure there is no malicious content being put into my database?

To get specific, here are the security implementations I've added to my web app:

1. PDO Prepared Statements when working with dynamic database inputs
2. Limited my production site's database access to a user with less privileges (so if someone does gain control, they'll only be able to update, insert, or select)
3. Client-side validation (pretty much useless in this context, it's just for users' convenience)
4. Using POST, not GET
5. Turned error_display off, so malicious users can't probe

I know the best practice is to filter and validate the POST[] using server-side validation, but doing that will limit what my users can submit. For example, filtering out all html tags will disable links, images, and formatting. Same problem with output filtering with htmlentities. Maybe there is a more nuanced way to do it?

What else can I do to secure this?

I should add: There will be a moderation process before any output is displayed. Each user entry will have a pair of eyes looking at it before it is allowed to be put on the website. That takes care of output filtering, but input filtering is still an issue.

解决方案

PDO Prepared Statements when working with dynamic database inputs

right

Limited my production site's database access to a user with less privileges (so if someone does gain control, they'll only be able to update, insert, or select)

useless

Client-side validation (pretty much useless in this context, it's just for users' convenience)

useless

Using POST, not GET

irrelevant

Turned error_display off, so malicious users can't probe

right

There is no item in your list regarding HTML issues. If you want to allow formatted input, you have to use either BB-code or HTML purifier or something of the sort.

这篇关于数据过滤，卫生和验证HTML允许的输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！