To prevent an xss attack, if I use a php regex to block strange characters like '> or ; do I still need to use htmlspecialchars and htmlentities?
xss攻击 - 正则表达式或htmlspecialchars
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
3条回答 默认 最新
- dpnvrt3119 2011-07-13 15:45关注
PDO does a very effective job of protecting your queries from XSS attacks. No need to worry about whether or not you remembered to protect your queries, because it is automatic. Several other frameworks support this feature as well.
If I'm not using PDO because of a client requirement or the like, I will at the very least build into my connection class an automatic htmlspecialchars function so that I never forget to do it (though this is my least favorite option)
As a UI guy, I always attack my security issues starting on the --front-- end first. Proper and well-designed front-end validation can stop unintentional issues from even getting to the query in the first place, and they're the most effective UI pattern for reporting problems to the user. Blocking elements such as
<or;makes sense in most fields, because they just don't fit. You can't rely on the front end solely, though, because a person could bypass it by turning off javascript. But, it's a good first step and a great way to limit improper queries on heavily traffic-ed sites. My validation of choice for quick and effective front-end validation of fields is here.本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报 分享
- 2011-06-30 03:10回答 3 已采纳 PDO does a very effective job of protecting your queries from XSS attacks. No need to worry about
- 2012-07-03 18:19回答 3 已采纳 给你一个正则 /^\d*(\.(5|0))?$/
- 2021-12-27 15:24回答 1 已采纳 这种只能手工测试,或者你用绿盟的极光试试
- 2020-03-09 15:46CMACCKK的博客 XSS有三种类型 存储型 特点:经过后端和数据库、危害较大 反射性 经过后端,不经过数据库 DOM型 不经过后端和数据库 XSS平台 https://xss.pt/xss.php xss无过滤代码 <?php if(isset($_POST['submit'])){ $name ...
- 2016-02-09 10:34回答 1 已采纳 Ok, so wanted to share an update and close this. Here is what I did to overcome my server injectio
- 2023-04-19 18:41回答 3 已采纳 首先,XSS攻击(Cross-Site Scripting)是一种常见的Web安全漏洞,攻击者利用网站没有对用户提交的数据进行充分过滤或转义的漏洞,在网页中注入恶意脚本,以达到攻击目的。 在前端方面,
- 2010-06-21 22:11回答 3 已采纳 I experimented a bit with the following: function text_format($string) { return preg_replace(
- 2020-12-19 12:43对网站发动XSS攻击的方式有很多种,仅仅使用php的一些内置过滤函数是对付不了的,即使你将filter_var,mysql_real_escape_string,htmlentities,htmlspecialchars,strip_tags这些函数都使用上了也不一定能保证绝对的...
- 2014-02-14 08:01回答 2 已采纳 founded my solution, I need rewrite HTACESS to redirect from http call to https. so that in https
- 2022-10-11 20:31回答 3 已采纳 js获取不到设置cookie时添加了http-only属性的cookie内容,比如用户登录网站后的身份cookie值,cookie和身份session是关联一起的。但是xss还是可以做破坏,比如修改页
- 2023-03-08 23:03回答 2 已采纳 不知道你这个问题是否已经解决, 如果还没有解决的话: 给你找了一篇非常好的博客,你可以看看是否有帮助,链接:BeEF-XSS实验手记如果你已经解决了该问题, 非常希望你能够分享一下解决方案, 写成博客
- 2021-04-27 05:52邹小樱的博客 现在有很多php开发框架都提供关于防XSS攻击的过滤方法,下面和大家分享一个预防XSS攻击和ajax跨域攻击的函数,主要去除了script等标签,下面直接上代码,不断的增加完善改进中。//去除xxs的攻击的公共方法public ...
- 2013-01-01 15:27回答 3 已采纳 Here are some of the major issues to keep in mind: Not validating user input Suppose you have a
- 2022-04-06 10:51donglianyou的博客 php防注入和XSS攻击通用过滤
- 2022-10-12 19:00维梓-的博客 xss-lab通关之路
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
- ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
- ¥20 有关区间dp的问题求解
- ¥15 多电路系统共用电源的串扰问题
- ¥15 slam rangenet++配置
- ¥15 有没有研究水声通信方面的帮我改俩matlab代码
- ¥15 ubuntu子系统密码忘记
- ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
- ¥15 保护模式-系统加载-段寄存器
- ¥15 电脑桌面设定一个区域禁止鼠标操作