dongluo3331 2012-01-31 06:54
浏览 36
已采纳

mysql_real_escape_string和html_special_chars够了吗?

This question gets asked a lot, but I still haven't found a straight answer on stackoverflow. Are these two functions sufficient or not? There are a lot of contradictory comments around the internet "yes its fine?, "no, never use it". Others say, use PDO, which I don't understand. I'm just a beginner to PHP, so I don't fully understand all of the ins and outs of security. I've tried reading and understanding the following, but many don't make much sense to me.

http://ha.ckers.org/xss.html
Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

What if I use preg_replace to strip unwanted characters?

I'm incredibly confused and don't know where to start.

EDIT: Could someone please also recommend how I go about understanding prepared statements (assuming this is the best option).

  • 写回答

3条回答 默认 最新

  • dongxietao0263 2012-01-31 07:25
    关注

    Sam, if you are storing the input in a database, to avoid SQL injection and XSS then those two functions are enough. If you are storing passwords, you must encrypt the passwords with one-way encryption (that is they can not be decrypted).

    Let me expand my answer: First of all, SQL Injection is a method where a malicious user will attempt to modify your SQL statement to make it do their will. For example, let's say you have a login form. By inserting one of the following values into an un-protected form, I will be able to log into the first account without knowing the username or password:

    ' or 1=1 --

    There are many versions of the above injection. Let's examine what it does to the SQL executed on the database:

    The PHP: mysql_query("SELECT * FROM users WHERE username='" . $username."' AND password='" . $password . "';");

    When the above is executed, the following SQL is sent to the database:

    SELECT * FROM users WHERE username='' or 1=1-- ' AND password='' or 1=1--';

    The effective part of this SQL is this: SELECT * FROM users WHERE username='' or 1=1

    as the double dash (with the space afterwards) is a comment, removing the rest of the statement.

    Now that gives the malicious user access. With use of an escaping function such as mysql_real_escape_string, you can escape the content so the following is sent to the database:

    SELECT * FROM users WHERE username='\' or 1=1-- ' AND password='\' or 1=1--';

    That now escapes the quotes, making the intended strings, just that - strings.

    Now let's view some XSS. Another malicious user would like to change the layout of a page. A well known XSS attack was the Facespace attack on Facebook back in 2005. This involves inserting raw HTML into forms. The database will save the raw HTML and then it will be displayed to users. A malicious user could insert some javascript with use of the script tag, which could do anything javascript can do!

    This is escaped by converting < and > to &ltl; and > respectively. You use the html_special_chars function for this.

    This should be enough to secure normal content on a site. However passwords are a different story.

    For passwords, you must also encrypt the password. It is advisable to use PHP's crypt function for this.

    However, once the password is encrypted and saved in the database as an encypted password, how can you decrypt it to check that it is correct? Easy answer - you don't decrypt it. HINT: A password always encrypts to the same value.

    Were you thinking 'We can encrypt the password when the user logs in and check it against the one in the database', you are correct...

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题
  • ¥15 如何用Python爬取各高校教师公开的教育和工作经历
  • ¥15 TLE9879QXA40 电机驱动
  • ¥20 对于工程问题的非线性数学模型进行线性化