I have a form with many fields...
我有一个有很多领域的表格......
The action is set to a php page which queries mysql...
该动作设置为查询mysql的php页面...
Should I sanitize with mysql_real_escape_string every single variable? Or can I ignore sanitizing drop-lists and radios for instance?
我应该使用mysql_real_escape_string清理每个变量吗?或者,我可以忽略消毒下拉列表和无线电吗?
Also, besides mysql_real_escape_string, what else should I do to prevent attacks?
另外,除了mysql_real_escape_string之外,我还应该做些什么来防止攻击呢?
Thanks
谢谢
6 个解决方案
#1
5
You must check selects and radio buttons too. Anyone can create their own HTML form and post it to your script. The Firefox extension Web Developer Toolbar even has an option to convert selects to text inputs.
您还必须检查选择和单选按钮。任何人都可以创建自己的HTML表单并将其发布到您的脚本中。 Firefox扩展Web开发人员工具栏甚至可以选择将选择转换为文本输入。
You can also check that the posted data only contains correct values. For example, if you have a radio button, make sure that the posted form only contain one of the valid values.
您还可以检查发布的数据是否仅包含正确的值。例如,如果您有一个单选按钮,请确保发布的表单只包含一个有效值。
You should of course only run mysql_real_escape_string on variables that you are going to put into MySQL. If saving to file, using on the commandline or anything other, there are more apropriate functions and solutions.
当然,您应该只对要放入MySQL的变量运行mysql_real_escape_string。如果保存到文件,使用命令行或其他任何东西,有更多适当的功能和解决方案。
#2
2
In general it is trivial to form a POST request outside of the browser and so bypass any restrictions the drop down list (for example) may have imposed on possible values.
通常,在浏览器之外形成POST请求是微不足道的,因此绕过下拉列表(例如)可能对可能的值施加的任何限制。
Because of this you should always treat user data as hostile and error-prone and put as much validation and protection on the server-side as possible.
因此,您应始终将用户数据视为恶意且容易出错,并尽可能在服务器端进行验证和保护。
#3
2
Another bunch of ignorant answers. Camran, you're attracting it like magnet.
另一堆无知的答案。 Camran,你像磁铁一样吸引着它。
You have to understand that mysql_real_escape_string has nothing to do with forms and radios, with checking and sanitizing.
And it does not prevent attacks.
您必须了解mysql_real_escape_string与表单和无线电无关,具有检查和清理功能。它并不能阻止攻击。
It is merely a string escaping function. It escapes a data that going to be inserted into SQL query string as a string data.
它只是一个字符串转义函数。它转义将作为字符串数据插入SQL查询字符串的数据。
SQL query is a little program. With it's own syntax. You must follow that syntax, not because of "attacks" but because of it's just a syntax. And, of course, these rules do not depend on the source of data! Radio button, html form or browser - all doesn't matter!
SQL查询是一个小程序。用它自己的语法。你必须遵循这种语法,不是因为“攻击”,而是因为它只是一种语法。当然,这些规则并不依赖于数据来源!单选按钮,html表单或浏览器 - 都无所谓!
And it works only with strings. Not with numbers nor identifiers.
它只适用于字符串。不是数字也不是标识符。
Here is my answer on how to handle an SQL query: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
以下是关于如何处理SQL查询的答案:在PHP中将字符串提交到数据库时,我应该使用htmlspecialchars()处理非法字符还是使用正则表达式?
#4
1
Any variable sent from the client can't be consider as safe and valid. If you are using them in query you should always sanitize them.
从客户端发送的任何变量都不能被认为是安全有效的。如果您在查询中使用它们,则应始终清理它们。
#5
1
You only need to use mysql_real_escape_string to escape strings prior to using them in SQL statements, to prevent SQL Injection attacks.
在SQL语句中使用它们之前,您只需要使用mysql_real_escape_string来转义字符串,以防止SQL注入攻击。
In addition, when taking data out of your database and writing it out as HTML, you should consider using htmlspecialchars or strip_tags to prevent cross-site scripting attacks.
此外,在从数据库中取出数据并将其作为HTML写出时,您应该考虑使用htmlspecialchars或strip_tags来防止跨站点脚本攻击。
#6
0
You only have to sanitize the fields that you don't want an attacker to hijack. The data can be form any source, not just your page. mysql_real_escape_string is good for any value that will concatenated into a query, but I "sanitize" everything. To me, "sanitize" means more than handling injection attacks, it includes any field validation as well (sting length, numeric, valid date, empty, etc).
您只需要清理不希望攻击者劫持的字段。数据可以是任何来源,而不仅仅是您的页面。 mysql_real_escape_string适用于将连接到查询中的任何值,但我“清理”所有内容。对我来说,“清理”不仅仅意味着处理注入攻击,它还包括任何字段验证(sting长度,数字,有效日期,空等)。
#1
5
You must check selects and radio buttons too. Anyone can create their own HTML form and post it to your script. The Firefox extension Web Developer Toolbar even has an option to convert selects to text inputs.
您还必须检查选择和单选按钮。任何人都可以创建自己的HTML表单并将其发布到您的脚本中。 Firefox扩展Web开发人员工具栏甚至可以选择将选择转换为文本输入。
You can also check that the posted data only contains correct values. For example, if you have a radio button, make sure that the posted form only contain one of the valid values.
您还可以检查发布的数据是否仅包含正确的值。例如,如果您有一个单选按钮,请确保发布的表单只包含一个有效值。
You should of course only run mysql_real_escape_string on variables that you are going to put into MySQL. If saving to file, using on the commandline or anything other, there are more apropriate functions and solutions.
当然,您应该只对要放入MySQL的变量运行mysql_real_escape_string。如果保存到文件,使用命令行或其他任何东西,有更多适当的功能和解决方案。
#2
2
In general it is trivial to form a POST request outside of the browser and so bypass any restrictions the drop down list (for example) may have imposed on possible values.
通常,在浏览器之外形成POST请求是微不足道的,因此绕过下拉列表(例如)可能对可能的值施加的任何限制。
Because of this you should always treat user data as hostile and error-prone and put as much validation and protection on the server-side as possible.
因此,您应始终将用户数据视为恶意且容易出错,并尽可能在服务器端进行验证和保护。
#3
2
Another bunch of ignorant answers. Camran, you're attracting it like magnet.
另一堆无知的答案。 Camran,你像磁铁一样吸引着它。
You have to understand that mysql_real_escape_string has nothing to do with forms and radios, with checking and sanitizing.
And it does not prevent attacks.
您必须了解mysql_real_escape_string与表单和无线电无关,具有检查和清理功能。它并不能阻止攻击。
It is merely a string escaping function. It escapes a data that going to be inserted into SQL query string as a string data.
它只是一个字符串转义函数。它转义将作为字符串数据插入SQL查询字符串的数据。
SQL query is a little program. With it's own syntax. You must follow that syntax, not because of "attacks" but because of it's just a syntax. And, of course, these rules do not depend on the source of data! Radio button, html form or browser - all doesn't matter!
SQL查询是一个小程序。用它自己的语法。你必须遵循这种语法,不是因为“攻击”,而是因为它只是一种语法。当然,这些规则并不依赖于数据来源!单选按钮,html表单或浏览器 - 都无所谓!
And it works only with strings. Not with numbers nor identifiers.
它只适用于字符串。不是数字也不是标识符。
Here is my answer on how to handle an SQL query: In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
以下是关于如何处理SQL查询的答案:在PHP中将字符串提交到数据库时,我应该使用htmlspecialchars()处理非法字符还是使用正则表达式?
#4
1
Any variable sent from the client can't be consider as safe and valid. If you are using them in query you should always sanitize them.
从客户端发送的任何变量都不能被认为是安全有效的。如果您在查询中使用它们,则应始终清理它们。
#5
1
You only need to use mysql_real_escape_string to escape strings prior to using them in SQL statements, to prevent SQL Injection attacks.
在SQL语句中使用它们之前,您只需要使用mysql_real_escape_string来转义字符串,以防止SQL注入攻击。
In addition, when taking data out of your database and writing it out as HTML, you should consider using htmlspecialchars or strip_tags to prevent cross-site scripting attacks.
此外,在从数据库中取出数据并将其作为HTML写出时,您应该考虑使用htmlspecialchars或strip_tags来防止跨站点脚本攻击。
#6
0
You only have to sanitize the fields that you don't want an attacker to hijack. The data can be form any source, not just your page. mysql_real_escape_string is good for any value that will concatenated into a query, but I "sanitize" everything. To me, "sanitize" means more than handling injection attacks, it includes any field validation as well (sting length, numeric, valid date, empty, etc).
您只需要清理不希望攻击者劫持的字段。数据可以是任何来源,而不仅仅是您的页面。 mysql_real_escape_string适用于将连接到查询中的任何值,但我“清理”所有内容。对我来说,“清理”不仅仅意味着处理注入攻击,它还包括任何字段验证(sting长度,数字,有效日期,空等)。