在 PDO 中使用 htmlspecialchars 函数准备和执行

2021-12-26 00:00:00 php pdo htmlspecialchars

使用htmlspecialchars()函数的PHP PDO在表单验证和数据库查询中将特殊字符转换为HTML实体真的有必要吗?

Is converting special characters to HTML entities in form validation and database query using PHP PDO using htmlspecialchars() function really necessary?

例如,我有一个或多或少具有简单登录系统的网站:

For example, I have a website with simple login system more or less like:

$username = (string) htmlspecialchars($_POST['user']);
$password = (string) htmlspecialchars($_POST['pass']);

$query = $dbh->prepare("select id where username = ? and password = ?")
$query->execute($username, $password);

请注意,除了所讨论的函数之外,我还使用了类型转换.那么,有必要吗?或者我可以安全地使用 $username = $_POST['user']; ?

Note that I also use type casting besides the function in question.. So, is it necessary? Or I can safely use $username = $_POST['user']; ?

推荐答案

您的困惑很常见,因为书籍和互联网(包括 php.net)上的信息和示例具有误导性或歧义.在开发 Web 应用程序时,您可以学到的最重要的事情是 过滤输入,转义输出.

Your confusion is quite common because information and examples in books and on the internet including php.net are misleading or ambiguous. The most important thing you can learn when developing web apps is filter input, escape output.

过滤输入这意味着对于任何数据输入,无论是由用户在表单上提供的还是由其他来源的文件提供的,都要过滤掉任何不属于的数据.一个例子是,如果您需要一个数字值,请过滤掉任何非数字字符.另一个例子是限制/确保数据的最大长度.但是,您不必为此发疯.例如,如果您希望一行文本可以包含几乎任何字符组合,那么尝试提出过滤器可能只会让您的用户感到沮丧.

Filter Input This means that for any data input whether provided by a user on a form or provided by a file from some other source, filter out anything which does not belong. An example would be that if you expect a numeric value, filter out any non-numeric characters. Another example would be limit/ensure the maximum length of data. However, you don't need to get to crazy with this. For example, if you expect a line of text that can contain literally any combination of characters, then trying to come up with a filter will probably only frustrate your users.

因此,您通常会将输入数据存储在数据库中,并预先提供一些可选的过滤功能.

So, you generally would store input data in your database as provided with optionally some filtering before hand.

转义输出转义输出的意思是正确保护给定媒体的数据.大多数时候,这个媒体是一个网页(html).但是,它也可以是纯文本、xml、pdf、图像等.对于 html,这意味着使用 htmlspecialchars()htmlentities()(您可以阅读差异此处).对于其他媒体类型,您将根据需要进行转义/转换(如果合适,则根本不进行转换).

Escape Output What is meant by escape output is to properly make safe the data for a given media. Most of the time, this media is a web page (html). But, it can also be plain text, xml, pdf, image, etc. For html, this means using htmlspecialchars() or htmlentities() (you can read up on the differences here). For other media types, you would escape/convert as appropriate (or not at all if appropriate).

现在,您的问题是您是否应该对将用作 sql 查询参数的输入数据使用 htmlspecialchars().答案是不.您不应以任何方式修改数据.

Now, your question is whether or not you should use htmlspecialchars() on input data that will be used as sql query parameters. The answer is no. You should not modify the data in any way.

是的,$_POST 中包含的数据应该被视为危险.这就是为什么您应该 1) 使用准备好的语句和绑定参数来防止 sql 注入,以及 2) 如果将 $_POST 中的数据放在 html 中,则正确转义/转换它.

Yes, the data contained in $_POST should be considered dangerous. Which is why you should 1) guard against sql injection using prepared statements and bound parameters as you are doing and 2) properly escape/convert data found in $_POST if you place it in html.

有许多 PHP 框架可以为您处理这些细节,我建议您选择并使用一个.但是,如果您不这样做,您仍然可以构建安全可靠的应用程序.无论您是否使用框架,我强烈建议您阅读OWASP.不这样做只会给您的网络应用程序带来安全噩梦.

There are many frameworks for PHP which handle these details for you and I recommend you pick and use one. However, if you do not, you can still build a safe and secure application. Whether you use a framework or not, I strongly suggest that you read the recommendations suggested by OWASP. Failure to do so will only result in a security nightmare for your web application.

相关文章