dox90448 2014-03-25 01:09
浏览 21
已采纳

在PHP中清理CSV内容

I've built a bulk user import engine for my web application and it's working perfectly. I'm now sitting here asking myself, is it secure? After all, the content of this file is being pumped into my database!

Not being the wisest security nerd around I need a little advice here.

  • Users are not able to rename the file after it's uploaded.
  • When the file is uploaded, its name is instantly changed.
  • Files must be .csv and have a csv relative mimetype for the upload to work.
  • The uploaded file is stored in a directory not accessible via the WWW and is deleted as soon as the import has completed, usually a few hundred milliseconds.
  • I'm opening the file and removing blank lines during the import

What about the actual content of the file? How can I sanitize the file to ensure it doesn't contain any executable code? I looked at the PHP manual and saw that as of PHP 4.3.5 getcsv() is binary safe, but being totally honest, I'm not 100% sure as to what that means.

I'm currently thinking about converting the CSV content into an array and creating a function that escapes the array content. Any other suggestions or is the above completely safe?

  • 写回答

1条回答 默认 最新

  • duanpang5583 2014-03-25 01:22
    关注

    You can try using array_walk() to run mysql_escape_string() or your database's equivalent to be doubly sure everything is kosher.

    function escape_sql(&$item, $key)
{
  $item = mysql_escape_string($item);

}

array_walk($input_array, 'escape_sql');

    If your array is multi-dimensional you can use array_walk_recursive(), which operates similarly.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类
  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了