在 php 中清理整个 $_POST 数组的好方法是什么?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3645131/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
what is a good method to sanitize the whole $_POST array in php?
提问by SirG
I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POSTvalue with filter_var($_POST['var'], FILTER_SANITIZE_STRING);I was after a more simple piece of code. I came up with the below, which seems to work as I believe the default action is FILTER_SANITIZE_STRING, but I was just wondering what peoples opinions are, and if this is not good practice, perhaps you could tell me why? The $_POSTvalues are then individually embedded into new variables, so I would only be using array_map just at the start to sanitize everything...
我有一个包含很多变量的表单,然后发送电子邮件,而不是 使用更简单的代码段来清理每个$_POST值filter_var($_POST['var'], FILTER_SANITIZE_STRING);。我想出了以下内容,这似乎有效,因为我认为默认操作是FILTER_SANITIZE_STRING,但我只是想知道人们的意见是什么,如果这不是好的做法,也许您能告诉我为什么?$_POST然后将这些值单独嵌入到新变量中,所以我只会在开始时使用 array_map 来清理所有内容......
$_POST = array_map('filter_var', $_POST);
Thank you for your replies, to give you a little more information, basically:
感谢您的回复,为您提供更多信息,主要是:
I have 20-30 input fields in a form which are being captured, the data is then displayed to the user to check their input, variables are then sanitized, the user is then sent an email and then finally the details are entered into a db.
我在一个被捕获的表单中有 20-30 个输入字段,然后将数据显示给用户以检查他们的输入,然后对变量进行消毒,然后向用户发送电子邮件,最后将详细信息输入到数据库中.
currently I am sanitizing using the above array_map function, as well as FILTER_SANITIZE_EMAIL on the email address before sending an email and then escaping the input using mysql_real_escape_string() before the insert into the db. Without getting into prepared statements etc.. do you think I should be doing anything additionally? thanks again!
目前我正在使用上述 array_map 函数以及 FILTER_SANITIZE_EMAIL 在发送电子邮件之前对电子邮件地址进行消毒,然后在插入数据库之前使用 mysql_real_escape_string() 转义输入。没有进入准备好的陈述等......你认为我应该做些什么吗?再次感谢!
回答by johnny.rodgers
If the type of each of your input variables is a string and you want to sanitize them all at once, you can use:
如果您的每个输入变量的类型都是字符串,并且您想一次清理它们,则可以使用:
// prevent XSS
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
This will sanitize your $_GET and $_POST arrays.
这将清理您的 $_GET 和 $_POST 数组。
Seen here: PHP -Sanitize values of a array
回答by Russell Dias
Depends what its being used for.
取决于它的用途。
If you are inserting it into the database then mysql_real_escape_string()for quoted strings and type casting for numbers would be the way to go - well ideally prepared statements, but thats an entirely different matter.
如果您将它插入到数据库中,那么mysql_real_escape_string()对于带引号的字符串和对数字的类型转换将是可行的方法 - 理想情况下准备好的语句,但那是完全不同的事情。
If you plan on outputting the data onto the webpage then I would recommend something like htmlspecialchars()
如果您打算将数据输出到网页上,那么我会推荐类似 htmlspecialchars()
If you plan on using the user input as a shell argument, then you would use escapeshellarg()
如果您打算使用用户输入作为 shell 参数,那么您将使用 escapeshellarg()
Moving onto your question about sending emails. Well, the following should suffice:
转到有关发送电子邮件的问题。好吧,以下内容就足够了:
filter_var($_POST['message'], FILTER_SANITIZE_STRING);
All this does is basically strip tags and encode special characters.
所有这些基本上都是剥离标签并编码特殊字符。
回答by Pekka
There is no correct way to do blanket sanitation. What sanitation method you need depends on what is done to the data.
没有正确的方法来进行毯子卫生。您需要哪种消毒方法取决于对数据的处理方式。
Sanitize the data directly before it is used.
在使用之前直接清理数据。
回答by ymakux
This is what I use in all my projects:
这是我在所有项目中使用的:
function util_array_trim(array &$array, $filter = false)
{
array_walk_recursive($array, function (&$value) use ($filter) {
$value = trim($value);
if ($filter) {
$value = filter_var($value, FILTER_SANITIZE_STRING);
}
});
return $array;
}
It allows to trim and sanitize a nested array of posted data
它允许修剪和清理发布数据的嵌套数组
回答by OXiGEN
To apply specific filters on multiple fields, use a switchstatement.
要对多个字段应用特定过滤器,请使用switch语句。
$post = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
foreach($post as $k => $v) {
switch ($k) {
case 'int_1':
case 'int_2':
$post[$k] = filter_var($v, FILTER_SANITIZE_NUMBER_INT) * 1;
break;
case 'float_1':
case 'float_2':
$post[$k] = filter_var($v, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION) * 1;
break;
default:
break;
}
}
Note: My IDE (NetBeans) warns about using global $_POSTanywhere as a security violation, so I've just gotten into the habit of using a local $postvariable instead. If you choose not to do the blanket string sanitation first, FILTER_SANITIZE_STRINGcould be used for the default:case.
注意:我的 IDE (NetBeans) 警告说在$_POST任何地方使用 global作为安全违规,所以我刚刚养成了使用局部$post变量的习惯。如果您选择不先进行毯子串卫生,则FILTER_SANITIZE_STRING可以用于default:案例。
