以下代码是通过 SQL 和 PHP 将数据传递到远程数据库时的卫生方法的建议。
$name = strtr(mysqli_real_escape_string($connector_obj, $_POST['name']), '/\\', ' ');
我的问题是 MSQLI 运算符会清理输入然后 strtr 运算符追加使代码仍然安全,还是该字段仍然容易受到攻击?这种清理是在初始查询之后进行的,因此另一个选项是将值传递给清理过的数据库,然后在事后执行 strtr 操作以将信息输出到面向客户的页面。
从更高级的角度来看,用户对 MSQLI 转义字符串中的斜线的观察程度如何?我认为它看起来会不那么吸引人,并且可以让那些声名狼藉的人深入了解应用程序的结构,但是任何关于这个想法的意见都会受到赞赏。
mysqli_real_escape_string only escapes the characters. It does not sanitize.
When a value is Posted, that is the time to sanitize.
I prefer using integer values. Instead of email address as a user name I request phone number. Then use a regex to remove all but the numerical values.
$number = preg_replace('/[^\d]/','',$_POST['number']);
If I'm looking for a integer number with no spaces, commas, dashes I just use:
$number = intval($_POST['number']);
You should qualify values used in a query.
$sql = sprintf("SELECT * FROM `Client` WHERE `Number` = %d", $id);
I also look at everything that is submitted. Loooking for symbols and words that are typically used in SQL Injection attacks.
$strike1 = 1 + preg_match_all('/\x3F/',$SAVE_ID,$matches, PREG_SET_ORDER); // )
$strike2 = preg_match_all('/[\x21-\x2F]|[\x3A-\x40]|[\x5B-\x60]|[\x7B-\x7F]/',$SAVE_ID,$matches, PREG_SET_ORDER);
$strike3 = preg_match_all('/\x28/',$SAVE_ID,$matches, PREG_SET_ORDER); // )
$strike4 = preg_match_all('/\x29/',$SAVE_ID,$matches, PREG_SET_ORDER); // (
$strike5 = preg_match_all('/COALESCE|0x|like|regex|mid|select|delete|drop|insert|do|call|replace|update|infile|lock|set|from|into|show|table|kill|reset/i',$SAVE_ID,$matches, PREG_SET_ORDER);
When I see too violations, I ban the IP address.
@mysql_unbuffered_query("INSERT INTO `Banned` (`ip`, `TimeStamp`,`Strike3`, `Attributes`) VALUES ('$ip', CURRENT_TIMESTAMP, $alert);");
I also watch for password failures. If I see too many failed attempts in a short amount of time, or the time between attempts is too short (not human) I ban the IP.