問(wèn)題描述
使用htmlspecialchars()
函數(shù)的PHP PDO在表單驗(yàn)證和數(shù)據(jù)庫(kù)查詢中將特殊字符轉(zhuǎn)換為HTML實(shí)體真的有必要嗎?
Is converting special characters to HTML entities in form validation and database query using PHP PDO using htmlspecialchars()
function really necessary?
例如,我有一個(gè)或多或少具有簡(jiǎn)單登錄系統(tǒng)的網(wǎng)站:
For example, I have a website with simple login system more or less like:
$username = (string) htmlspecialchars($_POST['user']);
$password = (string) htmlspecialchars($_POST['pass']);
$query = $dbh->prepare("select id where username = ? and password = ?")
$query->execute($username, $password);
請(qǐng)注意,除了所討論的函數(shù)之外,我還使用了類型轉(zhuǎn)換.那么,有必要嗎?或者我可以安全地使用 $username = $_POST['user'];
?
Note that I also use type casting besides the function in question.. So, is it necessary? Or I can safely use $username = $_POST['user'];
?
推薦答案
您的困惑很常見,因?yàn)闀突ヂ?lián)網(wǎng)(包括 php.net)上的信息和示例具有誤導(dǎo)性或歧義.在開發(fā) Web 應(yīng)用程序時(shí),您可以學(xué)到的最重要的事情是 過(guò)濾輸入,轉(zhuǎn)義輸出.
Your confusion is quite common because information and examples in books and on the internet including php.net are misleading or ambiguous. The most important thing you can learn when developing web apps is filter input, escape output.
過(guò)濾輸入這意味著對(duì)于任何數(shù)據(jù)輸入,無(wú)論是由用戶在表單上提供的還是由其他來(lái)源的文件提供的,都要過(guò)濾掉任何不屬于的數(shù)據(jù).一個(gè)例子是,如果您需要一個(gè)數(shù)字值,請(qǐng)過(guò)濾掉任何非數(shù)字字符.另一個(gè)例子是限制/確保數(shù)據(jù)的最大長(zhǎng)度.但是,您不必為此發(fā)瘋.例如,如果您希望一行文本可以包含幾乎任何字符組合,那么嘗試提出過(guò)濾器可能只會(huì)讓您的用戶感到沮喪.
Filter Input This means that for any data input whether provided by a user on a form or provided by a file from some other source, filter out anything which does not belong. An example would be that if you expect a numeric value, filter out any non-numeric characters. Another example would be limit/ensure the maximum length of data. However, you don't need to get to crazy with this. For example, if you expect a line of text that can contain literally any combination of characters, then trying to come up with a filter will probably only frustrate your users.
因此,您通常會(huì)將輸入數(shù)據(jù)存儲(chǔ)在數(shù)據(jù)庫(kù)中,并預(yù)先提供一些可選的過(guò)濾功能.
So, you generally would store input data in your database as provided with optionally some filtering before hand.
轉(zhuǎn)義輸出轉(zhuǎn)義輸出的意思是正確保護(hù)給定媒體的數(shù)據(jù).大多數(shù)時(shí)候,這個(gè)媒體是一個(gè)網(wǎng)頁(yè)(html).但是,它也可以是純文本、xml、pdf、圖像等.對(duì)于 html,這意味著使用 htmlspecialchars()
或 htmlentities()
(您可以閱讀差異此處).對(duì)于其他媒體類型,您將根據(jù)需要進(jìn)行轉(zhuǎn)義/轉(zhuǎn)換(如果合適,則根本不進(jìn)行轉(zhuǎn)換).
Escape Output
What is meant by escape output is to properly make safe the data for a given media. Most of the time, this media is a web page (html). But, it can also be plain text, xml, pdf, image, etc. For html, this means using htmlspecialchars()
or htmlentities()
(you can read up on the differences here). For other media types, you would escape/convert as appropriate (or not at all if appropriate).
現(xiàn)在,您的問(wèn)題是您是否應(yīng)該對(duì)將用作 sql 查詢參數(shù)的輸入數(shù)據(jù)使用 htmlspecialchars()
.答案是不.您不應(yīng)以任何方式修改數(shù)據(jù).
Now, your question is whether or not you should use htmlspecialchars()
on input data that will be used as sql query parameters. The answer is no. You should not modify the data in any way.
是的,$_POST 中包含的數(shù)據(jù)應(yīng)該被視為危險(xiǎn).這就是為什么您應(yīng)該 1) 使用準(zhǔn)備好的語(yǔ)句和綁定參數(shù)來(lái)防止 sql 注入,以及 2) 如果將 $_POST 中的數(shù)據(jù)放在 html 中,則正確轉(zhuǎn)義/轉(zhuǎn)換它.
Yes, the data contained in $_POST should be considered dangerous. Which is why you should 1) guard against sql injection using prepared statements and bound parameters as you are doing and 2) properly escape/convert data found in $_POST if you place it in html.
有許多 PHP 框架可以為您處理這些細(xì)節(jié),我建議您選擇并使用一個(gè).但是,如果您不這樣做,您仍然可以構(gòu)建安全可靠的應(yīng)用程序.無(wú)論您是否使用框架,我強(qiáng)烈建議您閱讀OWASP.不這樣做只會(huì)給您的網(wǎng)絡(luò)應(yīng)用程序帶來(lái)安全噩夢(mèng).
There are many frameworks for PHP which handle these details for you and I recommend you pick and use one. However, if you do not, you can still build a safe and secure application. Whether you use a framework or not, I strongly suggest that you read the recommendations suggested by OWASP. Failure to do so will only result in a security nightmare for your web application.
這篇關(guān)于在 PDO 中使用 htmlspecialchars 函數(shù)準(zhǔn)備和執(zhí)行的文章就介紹到這了,希望我們推薦的答案對(duì)大家有所幫助,也希望大家多多支持html5模板網(wǎng)!