防止 SQL 注入和 XSS 的 PHP 函数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6857817/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
A PHP function to prevent SQL Injections and XSS
提问by LonelyWebCrawler
I am tring to make my PHP as secure as possible, and the two main things I am trying to avoid are
我试图让我的 PHP 尽可能安全,我试图避免的两个主要事情是
- mySQL Injections
- Cross-Side Scripting (XSS)
- mySQL 注入
- 跨端脚本 (XSS)
This is the script I got against mySQL Injections:
这是我针对 mySQL 注入获得的脚本:
function make_safe($variable) {
$variable = mysql_real_escape_string(trim($variable));
return $variable; }
http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
http://www. addedbytes.com/writing-secure-php/writing-secure-php-1/
Against XSS, I found this:
针对 XSS,我发现了这一点:
$username = strip_tags($_POST['username']);
Now I want to unite the two into a single function. Would this be the best way to do so? :
现在我想将两者合并为一个函数。这会是最好的方法吗?:
function make_safe($variable) {
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable; }
Or does the mysql_real_escape_stringalready prevent XSS? And lastly, is there anything else that I could add into this function to prevent other forms of hacking?
或者mysql_real_escape_string 是否已经阻止了 XSS?最后,还有什么我可以添加到这个函数中来防止其他形式的黑客攻击的吗?
采纳答案by daGrevis
mysql_real_escape_string()doesn't prevent XSS. It will only make impossible to do SQL injections.
mysql_real_escape_string()不会阻止 XSS。它只会使 SQL 注入变得不可能。
To fight XSS, you need to use htmlspecialchars()or strip_tags(). 1st will convert special chars like <to <that will show up as <, but won't be executed. 2nd just strip all tags out.
要对抗 XSS,您需要使用htmlspecialchars()或strip_tags()。1st 会将特殊字符转换<为<将显示为<,但不会被执行。2 只需去掉所有标签。
I don't recommend to make special function to do it or even make one function to do it all, but your given example would work. I assume.
我不建议使用特殊功能来完成它,甚至不建议使用一个功能来完成所有工作,但是您给出的示例会起作用。我假设。
回答by Johan
This function:
这个功能:
function make_safe($variable)
{
$variable = strip_tags(mysql_real_escape_string(trim($variable)));
return $variable;
}
Will not work
不管用
SQL injection and XSS are two different beasts. Because they each require different escaping you need to use each escape function strip_tagsand mysql_real_escape_stringseparatly.
Joining them up will defeat the security of each.
SQL 注入和 XSS 是两种不同的野兽。因为他们需要不同的逃避,你需要使用的每个逃生功能strip_tags和mysql_real_escape_stringseparatly。
加入他们将破坏每个人的安全。
Use the standard mysql_real_escape_string()when inputting data into the database.
Use strip_tags()when querying stuff out of the database before outputting them to the screen.
mysql_real_escape_string()将数据输入数据库时使用标准。在将内容输出到屏幕之前从数据库中查询内容时
使用strip_tags()。
Why combining the two function is dangerous
From the horses mouth: http://php.net/manual/en/function.strip-tags.php
为什么将这两个功能结合起来很危险
从马嘴里说:http: //php.net/manual/en/function.strip-tags.php
Because strip_tags() does not actually validate the HTML, partial or broken tags can result in the removal of more text/data than expected.
由于 strip_tags() 实际上并不验证 HTML,部分或损坏的标签可能会导致删除比预期更多的文本/数据。
So by inputting malformed html into a database field a smart attacker can use your naive implementation to defeat mysql_real_escape_string()in your combo.
因此,通过将格式错误的 html 输入数据库字段,聪明的攻击者可以使用您的幼稚实现来击败mysql_real_escape_string()您的组合。
回答by Jon Gjengset
What you should really be looking into is using prepared statementsand PDOto both provide an abstraction layer against your database as well as completely eradicate SQL injection attacks.
您真正应该研究的是使用准备好的语句和PDO来为您的数据库提供一个抽象层,并完全消除 SQL 注入攻击。
As for XSS, just make sure to never trust user input. Either run strip_tagsor htmlentitieswhen you store the data, or when you output it (not both as this will mess with your output), and you'll be all right.
至于 XSS,请确保永远不要相信用户输入。当您存储数据或输出数据时运行strip_tags或htmlentities(不要同时运行,因为这会干扰您的输出),您会没事的。
