php 在 Laravel 中清理用户输入
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12813424/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Sanitize user input in laravel
提问by warmspringwinds
I've got a simple question: When is it best to sanitize user input? And which one of these is considered the best practice:
我有一个简单的问题:什么时候清理用户输入最好?其中哪一项被认为是最佳实践:
- Sanitize data before writing to database.
- Save raw data and sanitize it in the view.
- 在写入数据库之前清理数据。
- 保存原始数据并在视图中对其进行清理。
For example use HTML::entities()and save result to database.
Or by using HTMLmethods in the views because in this case laravel by default uses HTML::entities().
Or maybe by using the both.
例如使用HTML::entities()并将结果保存到数据库。或者通过HTML在视图中使用方法,因为在这种情况下,laravel 默认使用HTML::entities(). 或者也许同时使用两者。
EDIT:I found interesting example http://forums.laravel.com/viewtopic.php?id=1789. Are there other ways to solve this?
编辑:我发现了一个有趣的例子http://forums.laravel.com/viewtopic.php?id=1789。还有其他方法可以解决这个问题吗?
回答by Erlend
I would say you need both locations but for different reasons. When data comes in you should validate the data according to the domain, and reject requests that do not comply. As an example, there is no point in allowing a tag (or text for that matter) if you expect a number. For a parameter representing.a year, you may even want to check that it is within some range. Sanitization kicks in for free text fields. You can still do simple validation for unexpected characters like 0-bytes. IMHO it's best to store raw through safe sql (parameterized queries) and then correctly encode for output. There are two reasons. The first is that if your sanitizer has a bug, what do you do with all the data in your database? Resanitizing can have unwanted consequences. Secondly you want to do contextual escaping, for whichever output you are using (JSON, HTML, HTML attributes etc.)
我会说你需要两个位置,但出于不同的原因。当数据进来时,您应该根据域验证数据,并拒绝不符合要求的请求。例如,如果您需要一个数字,则允许使用标签(或与此相关的文本)是没有意义的。对于代表.a 年的参数,您甚至可能想要检查它是否在某个范围内。对自由文本字段进行清理。您仍然可以对意外字符(如 0 字节)进行简单验证。恕我直言,最好通过安全的 sql(参数化查询)存储原始数据,然后正确编码以进行输出。有两个原因。首先,如果您的消毒剂出现错误,您会如何处理数据库中的所有数据?重新消毒可能会产生不良后果。其次,您想要进行上下文转义,无论您使用的是哪种输出(JSON、HTML、
回答by Muhammad Usman
I have a full article on input filtering in Laravel, you might find it useful http://usman.it/xss-filter-laravel/, here is the excerpt from this article:
我有一篇关于 Laravel 输入过滤的完整文章,你可能会发现它很有用http://usman.it/xss-filter-laravel/,这是这篇文章的摘录:
You can do a global XSS clean yourself, if you don't have a library to write common methods you may need frequently then I ask you to create a new library Common in application/library. Put this two methods in your Common library:
您可以自己进行全局 XSS 清理,如果您没有一个库来编写您可能经常需要的常用方法,那么我要求您在应用程序/库中创建一个新库 Common。把这两个方法放在你的 Common 库中:
/*
* Method to strip tags globally.
*/
public static function global_xss_clean()
{
// Recursive cleaning for array [] inputs, not just strings.
$sanitized = static::array_strip_tags(Input::get());
Input::merge($sanitized);
}
public static function array_strip_tags($array)
{
$result = array();
foreach ($array as $key => $value) {
// Don't allow tags on key either, maybe useful for dynamic forms.
$key = strip_tags($key);
// If the value is an array, we will just recurse back into the
// function to keep stripping the tags out of the array,
// otherwise we will set the stripped value.
if (is_array($value)) {
$result[$key] = static::array_strip_tags($value);
} else {
// I am using strip_tags(), you may use htmlentities(),
// also I am doing trim() here, you may remove it, if you wish.
$result[$key] = trim(strip_tags($value));
}
}
return $result;
}
Then put this code in the beginning of your before filter (in application/routes.php):
然后将此代码放在您的 before 过滤器的开头(在 application/routes.php 中):
//Our own method to defend XSS attacks globally.
Common::global_xss_clean();
回答by 735Tesla
I just found this question. Another way to do it is to enclose dynamic output in triple brackets like this {{{ $var }}}and blade will escape the string for you. That way you can keep the potentially dangerous characters in case they are important somewhere else in the code and display them as escaped strings.
我刚刚发现了这个问题。另一种方法是将动态输出括在像这样的三重括号中{{{ $var }}},刀片将为您转义字符串。这样您就可以保留潜在危险的字符,以防它们在代码中的其他地方很重要,并将它们显示为转义字符串。
回答by Oddman
It depends on the user input. If you're generally going to be outputting code they may provide (for example maybe it's a site that provides code snippets), then you'd sanitize on output. It depends on the context. If you're asking for a username, and they're entering HTML tags, your validation should be picking this up and going "no, this is not cool, man!"
这取决于用户输入。如果您通常要输出他们可能提供的代码(例如,它可能是一个提供代码片段的网站),那么您将对输出进行消毒。这取决于上下文。如果您要求输入用户名,而他们正在输入 HTML 标签,那么您的验证应该是选择并显示“不,这不酷,伙计!”
If it's like the example I stated earlier (code snippets), then let it through as RAW (but be sure to make sure your database doesn't break), and sanitize on output. When using PHP, you can use htmlentities($string).
如果它像我之前提到的例子(代码片段),那么让它以 RAW 格式通过(但一定要确保你的数据库没有损坏),并对输出进行消毒。使用 PHP 时,您可以使用htmlentities($string).
回答by Andres Felipe
i'd found this because i was worried about xss in laravel, so this is the packages gvlatko
我发现这个是因为我担心 Laravel 中的 xss,所以这是包gvlatko
it is easy:
这很容易:
To Clear Inputs = $cleaned = Xss::clean(Input::get('comment');
清除输入 = $cleaned = Xss::clean(Input::get('comment');
To Use in views = $cleaned = Xss::clean(Input::file('profile'), TRUE);
在视图中使用 = $cleaned = Xss::clean(Input::file('profile'), TRUE);
