开发者

Is regular expression quite enough to handle script injection? [closed]

As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance. Closed 11 years ago. 开发者_开发知识库

What else do you think would be a great tool to prevent form injection, URL injection, or any other kind of injection?

Not too specific to the code, just the big picture.


filter your input / validate your output

That's it. For avoiding script injections, or any other kind of Cross-site Scripting, you need to ensure that any character displayed on the webpage as part of text is not any of the 5 special html characters. Use htmlspecialchars to encode them to their equivalent html entities (which are displayed normally, but not processed by the html engine):

  • & becomes &
  • > becomes >
  • < becomes &lt;
  • ' becomes &#039;
  • " becomes &quot;

For SQL injection, the principle is the same, avoid special SQL characters in your queries, by using mysql_real_escape_string, mysqli_real_escape_string, pg_escape_string, PHP Data Objects (PDO) or prepared statements.

To avoid shell commands injection, you need to avoid another set of characters. Use escapeshellcmd and escapeshellarg.

And for other mediums, other characters are involved, and other functions needed. As someone said in a comment, there is no silver bullet.


The big picture is best summarised by the term: Filter Input Escape Output (FIEO).

PHP has all the tools you need to perform these functions, but you need to fully grok what each of them means, identify the correct tool and apply it properly.

It might help to think of PHP as the man in the middle.

In one direction anything PHP is expected to handle, which comes from any external source should be "Filtered" against expectations where possible.

Anything PHP then passes the data to has to be Escaped so that next environment is protected from any kind of malicious attack. Escaped so that it does not damage the database, or escaped so that it cannot cause a XSS attack if echoed onto a web page, are the two most common scenarios.


All sorts of injection you are talking about (URL, SQL, Form, Headers, etc); they can all only happen when you use data retrieved from such sources without caution.

The moment you use a _GET/_POST/etc variable directly inside a SQL query, return headers or even script filenames/urls; the code is influenced by injection.

However, as long as you don't just use those variables, and always escape them correctly to make sense (e.g. mysql_real_escape_string for SQL queries), then injection isn't that easy anymore.

Using regex to validate input when used somewhere is possible too, but then the weakest link is your regular expression. You'd have to make sure to test the regular expression on practically any malicious input possible to your script.

The main thing is just to sanitize your input. Never use anything that can be changed by a user directly, ever.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜