PHP数据过滤的方法
关于如何确保数据过滤无法被绕过有各种各样的观点,今天我们就来看看PHP的数据过滤,对你一定会有帮助的。
在指南的开始,我们说过数据过滤在任何语言、任何平台上都是WEB应用安全的基石。这包含检验输入到应用的数据以及从应用输出的数据,而一个好的软件设计可以帮助开发人员做到:
确保数据过滤无法被绕过,
确保不合法的信息不会影响合法的信息,并且
识别数据的来源。
关于如何确保数据过滤无法被绕过有各种各样的观点,而其中的两种观点比其他更加通用并可提供更高级别的保障。
调度方法
这种方法是用一个单一的 php 脚本调度(通过 URL)。其他任何操作在必要的时候使用include或require包含进来。这种方法一般需要每个 URL 都传递一个单独的GET变量用于调度。这个GET变量可以被认为是用来替代脚本名称的更加简化的设计。例如:
?task=PRint_formdispatch.php是唯一的根文件(Document root)。它可以让开发者做两件非常重要的事情:
在dispatch.php最开始实现一些全局的安全处理,并且确保这些处理不可以被绕过。
容易确定在必要的地方进行数据过滤,特别是一些特殊目的的控制流操作中。
看下面的例子以便进一步讨论dispatch.php脚本:
如果这是唯一的可公开访问到的 PHP 脚本,则可以确信的一点是这个程序的设计可以确保在最开始的全局安全处理无法被绕过。同时也让开发者容易看到特定任务的控制流程。例如,不需要浏览整个代码就可以容易的知道:当$form_valid为true时,end.inc是唯一显示给用户的;由于它在process.inc被包含之前,并刚刚初始化为false,可以确定的是process.inc的内部逻辑会将设置它为true;否则表单将再次显示(可能会显示相关的错误信息)。
注意
如果你使用目录定向文件,如index.php(代替dispatch.php),你可以像这样使用 URL 地址:?task=print_form。
你还可以使用 ApacheForceType重定向或者mod_rewrite来调整 URL 地址:。
包含方法
另外一种方式是使用单独一个模块,这个模块负责所有的安全处理。这个模块被包含在所有公开的 PHP 脚本的最前端(或者非常靠前的部分)。参考下面的脚本security.inc
复制代码 代码如下:
在本例中,每个提交过来的表单都认为应当含有form这个唯一验证值,并且security.inc独立处理表单中0需要过滤的数据。实现这个要求的 HTML 表单如下所示:
复制代码 代码如下:
叫做$allowed的数组用来检验哪个表单变量是允许的, 这个列表在表单被处理前应当是一致的。流程控制决定要执行什么,而process.inc是真正过滤后的数据到达的地方。
注意
确保security.inc总是被包含在每个脚本的最开始的位置比较好的方法是使用auto_prepend_file设置。
过滤的例子
建立白名单对于数据过滤是非常重要的。由于不可能对每一种可能遇到的表单数据都给出例子,部分例子可以帮助你对此有一个大体的了解。
下面的代码对邮件地址进行了验证:
复制代码 代码如下:
]+@([-a-z0-9]+\.)+[a-z]{2,}$/i';if (preg_match($email_pattern, $_POST['email'])){$clean['email'] = $_POST['email'];}?>
下面的代码确保了$_POST['color']的内容是red,green,或者blue:
复制代码 代码如下:
[/code]
下面的代码确保$_POST['num']是一个整数(integer):
[code]
下面的代码确保$_POST['num']是一个浮点数(float):
复制代码 代码如下:
名字转换
之前每个例子都使用了数组$clean。对于开发人员判断数据是否有潜在的威胁这是一个很好的习惯。 永远不要在对数据验证后还将其保存在$_POST或者$_GET中,作为开发人员对超级全局数组中保存的数据总是应当保持充分的怀疑。
需要补充的是,使用$clean可以帮助思考还有什么没有被过滤,,这更类似一个白名单的作用。可以提升安全的等级。
如果仅仅将验证过的数据保存在$clean,在数据验证上仅存的风险是你所引用的数组元素不存在,而不是未过滤的危险数据。
时机
一旦 PHP 脚本开始执行,则意味着 HTTP 请求已经全部结束。此时,用户便没有机会向脚本发送数据。因此,没有数据可以被输入到脚本中(甚至register_globals被开启的情况下)。这就是为什么初始化变量是非常好的习惯。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to write a novel in the Tomato Free Novel app. Share the tutorial on how to write a novel in Tomato Novel.
Mar 28, 2024 pm 12:50 PM
Tomato Novel is a very popular novel reading software. We often have new novels and comics to read in Tomato Novel. Every novel and comic is very interesting. Many friends also want to write novels. Earn pocket money and edit the content of the novel you want to write into text. So how do we write the novel in it? My friends don’t know, so let’s go to this site together. Let’s take some time to look at an introduction to how to write a novel. Share the Tomato novel tutorial on how to write a novel. 1. First open the Tomato free novel app on your mobile phone and click on Personal Center - Writer Center. 2. Jump to the Tomato Writer Assistant page - click on Create a new book at the end of the novel.
How to recover deleted contacts on WeChat (simple tutorial tells you how to recover deleted contacts)
May 01, 2024 pm 12:01 PM
Unfortunately, people often delete certain contacts accidentally for some reasons. WeChat is a widely used social software. To help users solve this problem, this article will introduce how to retrieve deleted contacts in a simple way. 1. Understand the WeChat contact deletion mechanism. This provides us with the possibility to retrieve deleted contacts. The contact deletion mechanism in WeChat removes them from the address book, but does not delete them completely. 2. Use WeChat’s built-in “Contact Book Recovery” function. WeChat provides “Contact Book Recovery” to save time and energy. Users can quickly retrieve previously deleted contacts through this function. 3. Enter the WeChat settings page and click the lower right corner, open the WeChat application "Me" and click the settings icon in the upper right corner to enter the settings page.
Open source! Beyond ZoeDepth! DepthFM: Fast and accurate monocular depth estimation!
Apr 03, 2024 pm 12:04 PM
0.What does this article do? We propose DepthFM: a versatile and fast state-of-the-art generative monocular depth estimation model. In addition to traditional depth estimation tasks, DepthFM also demonstrates state-of-the-art capabilities in downstream tasks such as depth inpainting. DepthFM is efficient and can synthesize depth maps within a few inference steps. Let’s read about this work together ~ 1. Paper information title: DepthFM: FastMonocularDepthEstimationwithFlowMatching Author: MingGui, JohannesS.Fischer, UlrichPrestel, PingchuanMa, Dmytr
Google is ecstatic: JAX performance surpasses Pytorch and TensorFlow! It may become the fastest choice for GPU inference training
Apr 01, 2024 pm 07:46 PM
The performance of JAX, promoted by Google, has surpassed that of Pytorch and TensorFlow in recent benchmark tests, ranking first in 7 indicators. And the test was not done on the TPU with the best JAX performance. Although among developers, Pytorch is still more popular than Tensorflow. But in the future, perhaps more large models will be trained and run based on the JAX platform. Models Recently, the Keras team benchmarked three backends (TensorFlow, JAX, PyTorch) with the native PyTorch implementation and Keras2 with TensorFlow. First, they select a set of mainstream
Quickly master: How to open two WeChat accounts on Huawei mobile phones revealed!
Mar 23, 2024 am 10:42 AM
In today's society, mobile phones have become an indispensable part of our lives. As an important tool for our daily communication, work, and life, WeChat is often used. However, it may be necessary to separate two WeChat accounts when handling different transactions, which requires the mobile phone to support logging in to two WeChat accounts at the same time. As a well-known domestic brand, Huawei mobile phones are used by many people. So what is the method to open two WeChat accounts on Huawei mobile phones? Let’s reveal the secret of this method. First of all, you need to use two WeChat accounts at the same time on your Huawei mobile phone. The easiest way is to
Slow Cellular Data Internet Speeds on iPhone: Fixes
May 03, 2024 pm 09:01 PM
Facing lag, slow mobile data connection on iPhone? Typically, the strength of cellular internet on your phone depends on several factors such as region, cellular network type, roaming type, etc. There are some things you can do to get a faster, more reliable cellular Internet connection. Fix 1 – Force Restart iPhone Sometimes, force restarting your device just resets a lot of things, including the cellular connection. Step 1 – Just press the volume up key once and release. Next, press the Volume Down key and release it again. Step 2 – The next part of the process is to hold the button on the right side. Let the iPhone finish restarting. Enable cellular data and check network speed. Check again Fix 2 – Change data mode While 5G offers better network speeds, it works better when the signal is weaker
The vitality of super intelligence awakens! But with the arrival of self-updating AI, mothers no longer have to worry about data bottlenecks
Apr 29, 2024 pm 06:55 PM
I cry to death. The world is madly building big models. The data on the Internet is not enough. It is not enough at all. The training model looks like "The Hunger Games", and AI researchers around the world are worrying about how to feed these data voracious eaters. This problem is particularly prominent in multi-modal tasks. At a time when nothing could be done, a start-up team from the Department of Renmin University of China used its own new model to become the first in China to make "model-generated data feed itself" a reality. Moreover, it is a two-pronged approach on the understanding side and the generation side. Both sides can generate high-quality, multi-modal new data and provide data feedback to the model itself. What is a model? Awaker 1.0, a large multi-modal model that just appeared on the Zhongguancun Forum. Who is the team? Sophon engine. Founded by Gao Yizhao, a doctoral student at Renmin University’s Hillhouse School of Artificial Intelligence.
The secret of hatching mobile dragon eggs is revealed (step by step to teach you how to successfully hatch mobile dragon eggs)
May 04, 2024 pm 06:01 PM
Mobile games have become an integral part of people's lives with the development of technology. It has attracted the attention of many players with its cute dragon egg image and interesting hatching process, and one of the games that has attracted much attention is the mobile version of Dragon Egg. To help players better cultivate and grow their own dragons in the game, this article will introduce to you how to hatch dragon eggs in the mobile version. 1. Choose the appropriate type of dragon egg. Players need to carefully choose the type of dragon egg that they like and suit themselves, based on the different types of dragon egg attributes and abilities provided in the game. 2. Upgrade the level of the incubation machine. Players need to improve the level of the incubation machine by completing tasks and collecting props. The level of the incubation machine determines the hatching speed and hatching success rate. 3. Collect the resources required for hatching. Players need to be in the game
