dox90448 2014-03-25 01:09
浏览 21
已采纳

在PHP中清理CSV内容

I've built a bulk user import engine for my web application and it's working perfectly. I'm now sitting here asking myself, is it secure? After all, the content of this file is being pumped into my database!

Not being the wisest security nerd around I need a little advice here.

  • Users are not able to rename the file after it's uploaded.
  • When the file is uploaded, its name is instantly changed.
  • Files must be .csv and have a csv relative mimetype for the upload to work.
  • The uploaded file is stored in a directory not accessible via the WWW and is deleted as soon as the import has completed, usually a few hundred milliseconds.
  • I'm opening the file and removing blank lines during the import

What about the actual content of the file? How can I sanitize the file to ensure it doesn't contain any executable code? I looked at the PHP manual and saw that as of PHP 4.3.5 getcsv() is binary safe, but being totally honest, I'm not 100% sure as to what that means.

I'm currently thinking about converting the CSV content into an array and creating a function that escapes the array content. Any other suggestions or is the above completely safe?

  • 写回答

1条回答 默认 最新

  • duanpang5583 2014-03-25 01:22
    关注

    You can try using array_walk() to run mysql_escape_string() or your database's equivalent to be doubly sure everything is kosher.

    function escape_sql(&$item, $key)
    {
      $item = mysql_escape_string($item);
    
    }
    
    array_walk($input_array, 'escape_sql');
    

    If your array is multi-dimensional you can use array_walk_recursive(), which operates similarly.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?
  • ¥15 ubuntu系统下挂载磁盘上执行./提示权限不够
  • ¥15 Arcgis相交分析无法绘制一个或多个图形
  • ¥15 关于#r语言#的问题:差异分析前数据准备,报错Error in data[, sampleName1] : subscript out of bounds请问怎么解决呀以下是全部代码:
  • ¥15 seatunnel-web使用SQL组件时候后台报错,无法找到表格
  • ¥15 fpga自动售货机数码管(相关搜索:数字时钟)
  • ¥15 用前端向数据库插入数据,通过debug发现数据能走到后端,但是放行之后就会提示错误