dsc71976 2013-04-01 10:16
浏览 76
已采纳

Php-MySql安全方法,同时INSERT'ING INTO MySql并从MySql获取到屏幕

My Approach while INSERT’ing INTO MySql

I think I read in stackoverflow.com that “if you need escaping or similar action, do it just in time you need” so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST[''] variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST[''] values in message texts.

As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. If inputs are verified; just before INSERT’ing INTO MySql, I strip the tags from input since I don’t allow any html tags other than custom structured tags. (for example **bold text** === <strong>bold text</strong>) Then I insert the user input into MySql db.

My Approach while fetching from MySql & printing the output to the screen

I only apply htmlspecialchars() command to print out to the screen from MySql db

My Question

I am not sure of myself. Is there any obvious or hidden weakness in my approach? Thanks in advance for php gurus’ valuable comments. BR

UPDATE

I won't strip tags during insert into MySql db. For reasons, Please refer to comments of ÁlvaroG.Vicario below. BR.

  • 写回答

2条回答 默认 最新

  • douyi6922 2013-04-01 15:44
    关注

    The discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. It sounds like you're on the right track.

    • Your use of prepared statements is a "best practice" to combat SQL injection.
    • htmlspecialchars() is a good start to prevent XSS, but you have to escape data in the encoding scheme that is appropriate to where you are outputting data. OWASP has a comprehensive page that discusses this: XSS (Cross Site Scripting) Prevention Cheat Sheet. The short answer: Ensure you are using "the escape syntax for the part of the HTML document you're putting untrusted data into."
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥50 树莓派安卓APK系统签名
  • ¥15 maple软件,用solve求反函数出现rootof,怎么办?
  • ¥65 汇编语言除法溢出问题
  • ¥15 Visual Studio问题
  • ¥15 state显示变量是字符串形式,但是仍然红色,无法引用,并显示类型不匹配
  • ¥20 求一个html代码,有偿
  • ¥100 关于使用MATLAB中copularnd函数的问题
  • ¥20 在虚拟机的pycharm上
  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波