本文介绍PHP中用于防止SQL注入、XSS攻击等安全功能的几个实用函数,包括mysql_real_escape_string、addslashes、htmlentities、htmlspecialchars、strip_tags、md5、sha1和intval。同时提醒使用md5和sha1时应注意安全性问题,如盐的使用。
security is a very important aspect of programming. There are many functions or modules in any kind of real programming language providing security functionalities In modern websites, we may often get inputs form users all around the world.There is a famous saying which says that never trust user input. So in web programming languages, we will often see functions which will guarantee the security of the data input from users. Today we will cover some of these functions in the most famous open source language - PHP.
In PHP, there are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc. Let’s check few useful functions available in PHP to tighten the security in your project. But note that this is not a complete list, it just list of functions which I found useful for using in your project.
1) mysql_real_escape_string() - This function is very useful for preventing from SQL Injection Attack in PHP . This function adds backslashes to the special characters like quote , double quote , backslashes to make sure that the user supplied input are sanitized before using it to query. But, make sure that you are connected to the database to use this function.
Currently mysql_real_escape_string() is not recommended to be used anymore, all new applications should use libraries like PDO to perform database operations, we can use prepared statement to refrain away from the SQL injections.
1)mysql_real_escape_string() 这个函数对于预防PHP中的SQL注入攻击很有帮助。这个函数给特殊字符添加反斜杠,比如引号、双引号,反斜杠可以确保用户提交到数据在被用于查询之前是干净的。但是,确保你使用这个函数连接上数据库。
现在不在提倡使用mysql_real_escape_string(),所有新成熟用户使用封装好的库去执行数据库操作,比如PDO,我们可以使用预制好的申明来避免SQL注入。
2) addslashes() – This function works similar as mysql_real_escape_string(). But make sure that you don’t use this function when “magic_quotes_gpc” is “on” in php.ini. When “magic_quotes_gpc” is on in php.ini then single quote(‘) and double quotes (“) are escaped with trailing backslashes in GET, POST and COOKIE variables. You can check it using the function “get_magic_quotes_gpc()” function available in PHP.
2)addslashes()-这个函数功能和mysql_real_escape_string()类似。但是确保在php.ini中已经启用magic_quotes_gpc的时候你没有使用这个函数。当在php.ini中开始magic_quotes_gpc时,GET、POST和cookie中的变量里面的单引号和双引号都会使用反斜杠转译。你可以通过使用get_magic_quotes_gpc()函数的值来检查该功能。
3) htmlentities() – This function is very useful for to sanitize the user input. This function converts the special characters to their html entities. Such as, when the user enters the characters like “<” then it will be converted into it’s HTML entities < so that preventing from XSS and SQL injection attack.
3)htmlentities()-这个函数时用来过滤用户输入值的。该函数将特殊字符转译成相应的html实体。比如,当用户输入字符“<”时,该函数会转译成对应的HTML实体<,从而避免的XSS和SQL注入攻击。
4) htmlspecialchars() -- Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. For example, '&' (ampersand) becomes '&'
4)htmlspecialchars() -- 特定的字符在HTML中有特殊的意义,为了维护字符原意应该将它们解释成HTML实体。这个函数在处理后返回一个string类型数据。比如'&' (ampersand) 变成'&'
5) strip_tags() – This function removes all the HTML, JavaScript and PHP tag from the string. But you can also allow particular tags to be entered by user using the second parameter of this function.
5)strip_tags() - 这个函数移除字符串中所有的HTML、javascript和PHP标签。但是你可以通过设置该函数的第二个参数来允许特定标签输入。
6) md5() – Some developers store plain password in the database which is not good for security point of view. This function generates md5 hash of 32 characters of the supplied string. The hash generated from md5() is not reversible i.e can’t be converted to the original string.
This function now is not considered as safe because there are open databases which can be used to reverse checking the plaintext of a hashed value. You can find a list of MD5 hash database here.
6)md5() - 一些开发者将密码明文的存在数据库里,这样不安全。这个函数将目标字符串生成32位的md5 hash值。通过md5函数生成的hash值是不可逆的,就是说不能被还原成初始字符串。
该函数现在不被认为是安全的,因为有开放的彩虹表用于还原hash值,你可以在这儿找到一个开放的hash数据库。
7) sha1() – This function is similar to md5 but it uses different algorithm and generates 40 characters hash of a string compared to 32 characters by md5(). And one more note is that don't forget to put the salt, otherwise your life will be salty.
7)sha1() - 这个函数与md5类似,但是它是用不同的算法生成了40位的hash值,与md5生成的32位不同。另外需要提醒,别忘记使用salt,否则你会遇到麻烦。
8) intval() – Please don’t laugh. I know this is not a security function, it is function which gets the integer value from the variable. But you can use this function to secure your PHP coding. Well, this function is most frequently used when you want to parse some value of integers such as ids, ages etc.
8)intval() - 请别觉得好笑。我这个这不是个安全函数。这个函数时用户从变量中取得整型的。但是你可以使用它提高PHP编码的安全。这个函数常用于需要解析的整数值,比如ids,年龄等等
不断学习,如果有不对的地方,请帮忙指出
扫一扫
677
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
