How to secure $_REQUEST?_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-02-23 15:53 出处：网络

How can I secure $_REQUEST before inserting to mysql database? For example following: $message = $message = $_REQUEST[\'message\'];

相关专题：php security

How can I secure $_REQUEST before inserting to mysql database? For example following:

$message = $message = $_REQUEST['message'];
$tags = $_REQUEST['item']['tags'];
开发者_开发技巧

Thanks.

Depends on what you mean by "secure", and how you intend to insert the data. $_REQUEST isn't broken or anything; it's just that the data in it can be just about anything, so you'll need to "sanitize" it before you use it.

For example, if 'some_id' should only ever be an int,

$some_id = intval($_REQUEST['some_id']);

will ensure that $some_id is always an int. (Even if it didn't exist in $_REQUEST! In which case it will be 0.)

If you use prepared statements, a lot of the issues with $_REQUEST data go away -- that is, extensions like PDO and mysqli will escape parameters for you (if you use placeholders, like all good prepared statements should!), so all you have to do is make sure the data is valid. (For example, above, it'd have been a good idea to make sure $_REQUEST['some_id'] was set first -- since we didn't, we got a 0 back, which may not be valid.)

If you don't use prepared statements, then you have a little more work ahead of you. You'll need to use mysql_real_escape_string to escape strings as you feed them into the database, like so:

$some_string_sql = mysql_real_escape_string($_REQUEST['some_string']);
$id = intval($_REQUEST['id']);
mysql_query("UPDATE stuff SET some_string = '$some_string_sql' WHERE id = $id");

Note that i did this just for the query! Too many PHP noobs think they can just apply some magic formula to everything in $_REQUEST at the beginning of their script to make everything safe. You kinda can, if you're always just feeding it directly into an SQL query -- but it trashes your data if you're using it for other stuff! For example, if you write the data to a file as well, blindly escaping the data will leave you with a bunch of ugly backslashes in your file. You should never have to *un*escape your data -- it should always be escaped as you need it, for the specific purpose you intend to use it. (htmlentities for arbitrary data being printed to the screen, mysql_real_escape_string for stuff going into an SQL query.)

Also note: If you have magic_quotes_gpc enabled on your site, disable it for the reasons mentioned in the previous paragraph. Properly escaped stuff will break in the presence of magic quotes, because it's already been "escaped" once (half-assedly, hence the quotes) by PHP! Fortunately this misfeature will be removed from PHP 6, if it ever ships. But til then, if you have magic quotes enabled, you'll need to stripslashes(anything from $_REQUEST, $_GET, $_POST, or $_COOKIE) before you can properly escape it. DO NOT rely on the magic quotes -- they're a convenience thing, and not at all designed for security.

You should just not forget escaping your data when injecting them in some SQL queries.

Either use a function to escape the data :
Depending on the API you're working with :

mysql_real_escape_string,
mysqli_real_escape_string,
or PDO::quote

Or you could use Prepared Statements :
Those might seem a bit harder to understand, at first -- but they are worth investing sometime...

With mysqli,
And with PDO.

Then, of course, when using the data from the database to generate some output, the same idea applies : escape the output.

If you are generating some HTML output, you'll typically want to use something like htmlspecialchars.
Or, to allow some specific HTML tags, see HTML Purifier.

If you are generating some other kind of output, you'll have to find how to escape your data specifically for this type of output.

Use either mysql_real_escape_string() or PDO's prepared statements. I recommend the latter, as it also helps keep your queries nice and tidy.

As secure as anything could be in them.

The user can change those values to whatever they want.

So, not secure at all. Always sanitize your inputs.

There is nothing to secure.

Your database input should be just properly formatted.
For the strings it's quoting and escaping.

As long as your input data is limited to strings and you follow formatting rules, no special security required.