What's the best method for sanitizing user input with PHP?

是否有一个catchall函数可以很好地处理SQL注入和XSS攻击的用户输入,同时还允许某些类型的html标记?


It's a common misconception that user input can be filtered. PHP even has a (now deprecated) "feature", called magic-quotes, that builds on this idea. It's nonsense. Forget about filtering (Or cleaning, or whatever people call it).

What you should do, to avoid problems, is quite simple: whenever you embed a string within foreign code, you must escape it, according to the rules of that language. For example, if you embed a string in some SQL targeting MySql, you must escape the string with MySql's function for this purpose ( mysqli_real_escape_string ). (Or, in case of databases, using prepared statements are a better approach, when possible)

Another example is HTML: If you embed strings within HTML markup, you must escape it with htmlspecialchars . This means that every single echo or print statement should use htmlspecialchars .

A third example could be shell commands: If you are going to embed strings (Such as arguments) to external commands, and call them with exec , then you must use escapeshellcmd and escapeshellarg .

And so on and so forth ...

The only case where you need to actively filter data, is if you're accepting preformatted input. Eg. if you let your users post HTML markup, that you plan to display on the site. However, you should be wise to avoid this at all cost, since no matter how well you filter it, it will always be a potential security hole.


Do not try to prevent SQL injection by sanitizing input data.

Instead, do not allow data to be used in creating your SQL code . Use Prepared Statements (ie using parameters in a template query) that uses bound variables. It is the only way to be guaranteed against SQL injection.

Please see my website http://bobby-tables.com/ for more about preventing SQL injection.


No. You can't generically filter data without any context of what it's for. Sometimes you'd want to take a SQL query as input and sometimes you'd want to take HTML as input.

You need to filter input on a whitelist -- ensure that the data matches some specification of what you expect. Then you need to escape it before you use it, depending on the context in which you are using it.

The process of escaping data for SQL - to prevent SQL injection - is very different from the process of escaping data for (X)HTML, to prevent XSS.

链接地址: http://www.djcxy.com/p/3688.html

上一篇: 防止网站上的蛮力登录

下一篇: 用PHP清理用户输入的最佳方法是什么?