douci1196 2008-09-28 21:56
浏览 15
已采纳

全面的服务器端验证

I currently have a fairly robust server-side validation system in place, but I'm looking for some feedback to make sure I've covered all angles. Here is a brief outline of what I'm doing at the moment:

  • Ensure the input is not empty, or is too long

  • Escape query strings to prevent SQL injection

  • Using regular expressions to reject invalid characters (this depends on what's being submitted)

  • Encoding certain html tags, like <script> (all tags are encoded when stored in a database, with some being decoded when queried to render in the page)

Is there anything I'm missing? Code samples or regular expressions welcome.

  • 写回答

5条回答 默认 最新

  • doujinyi1267 2008-09-28 22:06
    关注

    You shouldn't need to "Escape" query strings to prevent SQL injection - you should be using prepared statements instead.

    Ideally your input filtering will happen before any other processing, so you know it will always be used. Because otherwise you only need to miss one spot to be vulnerable to a problem.

    Don't forget to encode HTML entities on output - to prevent XSS attacks.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥15 想问一下树莓派接上显示屏后出现如图所示画面,是什么问题导致的
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号