Question

This question already has answers here:

Possible Duplicate:
PHP: the ultimate clean/secure function

在我插入一个用户时,我就采用了这一守则:

  function RegisterUser($userName, $pass, $email, $reputation, $role, $ban, $date, $ip, $numberAttempts, avatar)// anonym ,  false ,  $myDate,$ip, 0,   
  {
     $userName= SanitizeString($userName);
     $pass= SanitizeString($pass);
     $email= SanitizeString($email);

      $userName=mysql_real_escape_string($userName);
      $pass=mysql_real_escape_string($pass);
      $email=mysql_real_escape_string($email);

The sanitize function is the following:

   function SanitizeString($var)
   {
       //$var=stripslashes($var);
       $var=htmlentities($var, ENT_QUOTES,  UTF-8 );
       $var=strip_tags($var);
       return $var;
   }

我指的是保护自己免遭恶意攻击的正确途径(Xss攻击、javascript攻击、 sql注射)。

Answer 1

我也要强调保护自己免遭恶意攻击的正确途径。

定本<>NO。

Protection is not something like using one magic method to make all attacks disappear in a puff of smoke.
You need different scenarios for different attacks. A condoms commonly used for safety. Would you secure your money with a condom? I suppose - no.
Same here.

Also, mindless mixing protection techniques will spoil your data.
For example, if your admin has the ability to post HTML from some onlain editor, this SanitizeString will make it impossible.

In fact, your function is trying to protect only from XSS and obviously wrong way.
For the other attacks you need other things. SQL injection protection I described in this answer.

友情链接