PHP 清理数据
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/5863508/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP Sanitize Data
提问by PeanutsMonkey
I am new to the world of coding and PHP hence would like to learn what's the best way to sanitize form data to avoid malformed pages, code injections and the like. Is the sample script I found below a good example?
我是编码和 PHP 世界的新手,因此想了解清理表单数据以避免格式错误的页面、代码注入等的最佳方法是什么。我在下面找到的示例脚本是一个很好的例子吗?
Code originally posted at http://codeassembly.com/How-to-sanitize-your-php-input/
代码最初发布在http://codeassembly.com/How-to-sanitize-your-php-input/
/**
* Sanitize only one variable .
* Returns the variable sanitized according to the desired type or true/false
* for certain data types if the variable does not correspond to the given data type.
*
* NOTE: True/False is returned only for telephone, pin, id_card data types
*
* @param mixed The variable itself
* @param string A string containing the desired variable type
* @return The sanitized variable or true/false
*/
function sanitizeOne($var, $type)
{
switch ( $type ) {
case 'int': // integer
$var = (int) $var;
break;
case 'str': // trim string
$var = trim ( $var );
break;
case 'nohtml': // trim string, no HTML allowed
$var = htmlentities ( trim ( $var ), ENT_QUOTES );
break;
case 'plain': // trim string, no HTML allowed, plain text
$var = htmlentities ( trim ( $var ) , ENT_NOQUOTES ) ;
break;
case 'upper_word': // trim string, upper case words
$var = ucwords ( strtolower ( trim ( $var ) ) );
break;
case 'ucfirst': // trim string, upper case first word
$var = ucfirst ( strtolower ( trim ( $var ) ) );
break;
case 'lower': // trim string, lower case words
$var = strtolower ( trim ( $var ) );
break;
case 'urle': // trim string, url encoded
$var = urlencode ( trim ( $var ) );
break;
case 'trim_urle': // trim string, url decoded
$var = urldecode ( trim ( $var ) );
break;
case 'telephone': // True/False for a telephone number
$size = strlen ($var) ;
for ($x=0;$x<$size;$x++)
{
if ( ! ( ( ctype_digit($var[$x] ) || ($var[$x]=='+') || ($var[$x]=='*') || ($var[$x]=='p')) ) )
{
return false;
}
}
return true;
break;
case 'pin': // True/False for a PIN
if ( (strlen($var) != 13) || (ctype_digit($var)!=true) )
{
return false;
}
return true;
break;
case 'id_card': // True/False for an ID CARD
if ( (ctype_alpha( substr( $var , 0 , 2) ) != true ) || (ctype_digit( substr( $var , 2 , 6) ) != true ) || ( strlen($var) != 8))
{
return false;
}
return true;
break;
case 'sql': // True/False if the given string is SQL injection safe
// insert code here, I usually use ADODB -> qstr() but depending on your needs you can use mysql_real_escape();
return mysql_real_escape_string($var);
break;
}
return $var;
}
采纳答案by Oliver Emberton
Your example script isn't great - the so called sanitisation of a string just trims whitespace off each end. Relying on that would get you in a lot of trouble fast.
您的示例脚本不是很好 - 所谓的字符串消毒只是修剪每一端的空格。依赖它会让你很快陷入很多麻烦。
There isn't a one size fits all solution. You need to apply the right sanitisation for your application, which will completely depend on what input you need and where it's being used. And you should sanitise at multiple levels in any case - most likely when you receive data, when you store it and possibly when you render it.
没有一刀切的解决方案。您需要为您的应用程序应用正确的清理,这将完全取决于您需要什么输入以及它在何处使用。在任何情况下,您都应该在多个级别进行消毒 - 最有可能是在您接收数据、存储数据以及渲染数据时。
Worth reading, possible dupes:
值得一读,可能的骗局:
回答by CS?
That script has some nice functions but it doesn't do a good job at sanitizing!
该脚本有一些不错的功能,但它在消毒方面做得不好!
Depending on what you need (and want to accept) you can use:
根据您的需要(并希望接受),您可以使用:
abs()for positive numbers (note that it accepts floats also)preg_replace('/[^a-zA-Z0-9 .-]/','',$var)for cleaning out any special characters from strings orpreg_replace('/\D/','',$var)to remove all non-digit charactersctype_* functionseg.ctype_digit($var)filter_var()andfilter_input()functionstype-casteg.
(int)$_GET['id']convert eg.
$id=$_GET['id']+0;
abs()对于正数(注意它也接受浮点数)preg_replace('/[^a-zA-Z0-9 .-]/','',$var)用于清除字符串中的任何特殊字符或preg_replace('/\D/','',$var)删除所有非数字字符ctype_* functions例如。ctype_digit($var)类型转换例如。
(int)$_GET['id']转换例如。
$id=$_GET['id']+0;
回答by David
As a general rule if you are using PHP & MySQL you will want to sanitize data going into MySQL like so:
作为一般规则,如果您使用 PHP 和 MySQL,您需要像这样清理进入 MySQL 的数据:
$something = mysql_real_escape_string($_POST['your_form_data']);
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/function.mysql-real-escape-string.php
回答by Lightness Races in Orbit
It's not bad.
不算太差。
For SQL, it'd be best to avoid the need to risk the scenario at all, by using PDO to insert parameters into your queries.
对于 SQL,最好通过使用 PDO 将参数插入到您的查询中来完全避免需要冒险的场景。
