我有一个 PHP 脚本应该检查“有效”的人名,但最近破解了一个带有空格的名字,所以我们在验证器中添加了空格。
除了这样做,有没有办法将黑名单添加到 CakePHP 的验证器以阻止所有“无效”字符,而不是允许“有效”字符?
注意:我知道如何在 PHP 中执行此操作(通常),但使用 CakePHP 的验证器语法是不同的。
问问题
6611 次
4 回答
15
我同意其他评论,即验证名称可能是一个坏主意。
对于几乎所有你能想到的要验证的东西,都会有人的名字违反了你的规则。如果您对阻止真人输入姓名的想法感到满意,那么您可以根据需要进行验证。但是您输入的验证规则越多,您就越有可能找到无法登录的真人。
这是一个页面的链接,该页面描述了人们试图验证的一些明显(而不是那么明显)的事情,这些事情可能会绊倒他们:
http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/
如果您想允许任何人访问您的站点,那么您真正希望的最好方法是强制设置最大字段长度以适应您在数据库中分配的空间。即使那样,你也会惹恼某人。
于 2010-10-04T08:58:23.603 回答
8
There is no way to "validate". How can you prevent someone really called:
Robert'); DROP TABLE Students; --
EDIT: What I really mean is, people in some countries may have their name in different language (say Japanese, Chinese, Korean) and may even contains symbols. How will you think if a site says your name is "INVALID" when he/she is entering their real names?
于 2010-10-04T08:20:20.697 回答
4
Custom Regular Expression Validation
var $validate = array(
'name' => array(
'rule' => '/^[^%#\/*@!...other characters you don\'t want...]+$/',
'message' => 'Only letters and integers, min 3 characters'
)
);
This is too naïve an approach though, as you would have to blacklist almost the entire range of Unicode characters. You can pretty much only do whitelisting of basic latin characters plus common quirks like spaces and apostrophes. Any more than that and you'll fight an uphill battle you can't win. You may be able to create a reasonably good algorithm over time, but it will never be 100% foolproof. So either restrict your users to basic latin names (and hope not to alienate your audience) or skip the validation entirely*.
* Or invest a few years into developing an algorithm covering <100% of human names, working 99.9% of the time.
于 2010-10-04T08:18:39.537 回答
4
不要对名称的拼写方式做出任何假设。接受任何输入(是的,任何),并在显示时进行适当的转义,这样您就不会遇到 XSS 漏洞。
我建议您在 afterFind() 的模型中进行此转义,这样您就不会在某个地方忘记它。如果您需要访问纯数据,请将原始数据保存在模型的单独字段中,例如 ['unescaped_name']。
于 2010-10-04T07:47:21.360 回答