dongluo3331 2012-01-31 06:54
浏览 36
已采纳

mysql_real_escape_string和html_special_chars够了吗?

This question gets asked a lot, but I still haven't found a straight answer on stackoverflow. Are these two functions sufficient or not? There are a lot of contradictory comments around the internet "yes its fine?, "no, never use it". Others say, use PDO, which I don't understand. I'm just a beginner to PHP, so I don't fully understand all of the ins and outs of security. I've tried reading and understanding the following, but many don't make much sense to me.

http://ha.ckers.org/xss.html
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

What if I use preg_replace to strip unwanted characters?

I'm incredibly confused and don't know where to start.

EDIT: Could someone please also recommend how I go about understanding prepared statements (assuming this is the best option).

  • 写回答

3条回答 默认 最新

  • dongxietao0263 2012-01-31 07:25
    关注

    Sam, if you are storing the input in a database, to avoid SQL injection and XSS then those two functions are enough. If you are storing passwords, you must encrypt the passwords with one-way encryption (that is they can not be decrypted).

    Let me expand my answer: First of all, SQL Injection is a method where a malicious user will attempt to modify your SQL statement to make it do their will. For example, let's say you have a login form. By inserting one of the following values into an un-protected form, I will be able to log into the first account without knowing the username or password:

    ' or 1=1 --

    There are many versions of the above injection. Let's examine what it does to the SQL executed on the database:

    The PHP: mysql_query("SELECT * FROM users WHERE username='" . $username."' AND password='" . $password . "';");

    When the above is executed, the following SQL is sent to the database:

    SELECT * FROM users WHERE username='' or 1=1-- ' AND password='' or 1=1--';

    The effective part of this SQL is this: SELECT * FROM users WHERE username='' or 1=1

    as the double dash (with the space afterwards) is a comment, removing the rest of the statement.

    Now that gives the malicious user access. With use of an escaping function such as mysql_real_escape_string, you can escape the content so the following is sent to the database:

    SELECT * FROM users WHERE username='\' or 1=1-- ' AND password='\' or 1=1--';

    That now escapes the quotes, making the intended strings, just that - strings.

    Now let's view some XSS. Another malicious user would like to change the layout of a page. A well known XSS attack was the Facespace attack on Facebook back in 2005. This involves inserting raw HTML into forms. The database will save the raw HTML and then it will be displayed to users. A malicious user could insert some javascript with use of the script tag, which could do anything javascript can do!

    This is escaped by converting < and > to &ltl; and > respectively. You use the html_special_chars function for this.

    This should be enough to secure normal content on a site. However passwords are a different story.

    For passwords, you must also encrypt the password. It is advisable to use PHP's crypt function for this.

    However, once the password is encrypted and saved in the database as an encypted password, how can you decrypt it to check that it is correct? Easy answer - you don't decrypt it. HINT: A password always encrypts to the same value.

    Were you thinking 'We can encrypt the password when the user logs in and check it against the one in the database', you are correct...

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 想问一下树莓派接上显示屏后出现如图所示画面,是什么问题导致的
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)
  • ¥100 set_link_state
  • ¥15 虚幻5 UE美术毛发渲染
  • ¥15 CVRP 图论 物流运输优化
  • ¥15 Tableau online 嵌入ppt失败
  • ¥100 支付宝网页转账系统不识别账号