0

I'm looking into wordpress plugin, and it has a form with input field like this:

<input type="text" name="user_email" id="email1" value="'.strip_tags($_POST['user_email']).'"  class="short" tabindex="2" />

So strip_tags in value means that anything submitted through this input will be tag striped? against SQL inject?

Should not this security measure be implemented on target file of this form instead?

I'm having trouble understanding if this would be any help in securing against sql injections

4

3 回答 3

2

First, strip_tags() is NOT defense against SQL injection. Second, as Francois B pointed out, the tags will only be stripped when the HTML form is loaded. It doesn't matter what the user types into the form itself in their web browser; you should be sanitizing strings after the form has been submitted but before the mysql queries are executed.

I repeat: strip_tags() is NOT an anti-SQL injection measure. If you want nearly fool-proof protection from SQL injections, you need to look into prepared statements. In most cases, sanitizing your input with a character white list, using mysql_real_escape_string(), and making sure your variables are enclosed in single-quotes is enough to protect against SQL injection.

It's far too easy for a new developer to shoot his or her self in the foot while using PHP and mysql; please do some research with Google and make sure to read http://bobby-tables.com/. Please ask for help and have someone experienced review your code before you publish a potentially vulnerable script.

于 2012-06-17T10:20:20.657 回答
1

as noted before, prepared statements is the best defense against sql-injection.

among system measures I'd add mod_security application firewall (on the Apache level if your Wordpress is on Apache and you have control over configuration), it helps against sql-injection and many other exploits.

于 2012-06-17T12:31:24.577 回答
0

It will be tag striped only this time (setting value to HTML input field -- assuming this is done server-side when generating HTML content). You have to do same thing when accessing database with parameters.

于 2012-06-17T10:07:37.470 回答