开发者

Best ways to sanitize user submitted content? [duplicate]

问答 作者:
This question already has answers here: Closed 11 years ago.

Possible Duplicate:

PHP: the ultimate clean/secure function

I am working on an experimental social networking site in PHP. So, there will be a lot of user submitted data sent to the database.

I had coded a custom block script a while back, that would just block certain characters or keywords from being submitted. This worked, but it had it's list of problems.

I heard addslashes and mysql_real_escape_string will do this, but I don't want to do anything until I get some solid advice.

I tried addslashes, and it wi开发者_C百科ll add slashes to can't, don't, etc. I don't want that.

I just want my database to be safe from xss, html, php, and javascript attacks. Any advice?

  • prepared statements from PDO
  • filter_var() functions
  • htmlspecialchars()

For people who don't know PHP or find documentation about functions:

  • prepared statements - will provide protection against SQL injections ( but not against extreme stupidity )
  • filter_var() - will let you make sure that data really us an URL or email address , etc.
  • htmlspecialchars() - converts characters like < , > and & into html entities, thus, protecting against XSS.

I really fail to see the need for explanation here.

You should HTML escape any content before outputting it back to the user. Then when it's ever outputted back it'll be safe. Use htmlspecialchars for PHP. See What are the best practices for avoiding xss attacks in a PHP site for more information and read OWASP XSS (Cross Site Scripting) Prevention Cheat Sheet.

All good answers so far, I would just like to add that you should make sure that the input data comes in the desired encoding - you should also normalize the different types of new line feeds or strip control characters altogether, I end up using the following function a lot:

function Filter($string, $control = true)
{
    $string = iconv('UTF-8', 'UTF-8//IGNORE', $string);

    if ($control === true)
    {
        return preg_replace('~\p{C}+~u', '', $string);
    }

    return preg_replace(array('~\r[\n]?~', '~[^\P{C}\t\n]+~u'), array("\n", ''), $string);
}

It will remove all invalid UTF-8 data from the string and normalize new lines. All control chars (except tab (\t) and new lines (\n)) are striped, and if $control == true these are stripped too.

PS: This is not very useful from a security standpoint of view but is helps avoiding GIGO.

  1. For HTML type input use HTMLPurifier or similar to filter out unwanted markup.
  2. Validate form fields before storing the data
  3. Use prepared statements with PDO or MySQLi when writing to the database. This will take care of the SQL escaping for you, provided you bind your parameters correctly.
  4. Escape the output coming out of the DB before displaying it unless it can be considered safe.

继续阅读:javascriptphpxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9