admin管理员组文章数量:1277310
This is about a classifieds website... I use PHP and MySql to insert records into a db.
I have a HTML form, and users must fill in this form to proceed.
Below is the form inputs and the validation made on each input (javascript):
Name (Only letters allowed)
Tel (Only numbers allowed)
Email (Special email-regexp match)
Headline (No special characters allowed, all else is fine. By special characters I mean !(#)<> etc. Max length 35 chars.)
Text (Same as headline, just no limit on length)
Price (Only numbers allowed)
I do mysql_real_escape_string() on the Headline and Text, but nothing else.
My question is simply, is this enough?
I have no other security measures whatsoever.
UPDATE
var alphaExp = /^[a-zA-ZåäöÅÄÖ\s\-]+$/;
var numExp = /^(?=(?:\D*\d){0})[\d -]{0,20}$/;
var num_only = /^[0-9]+$/;
var emailExp = /^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/;
var textExp = /^\s*([\wåäö\-\*][^\w]*){3}.*$/gmi;
var headlineExp = /^[\s\da-zA-ZåäöÅÄÖ&()+%\/*$€é:,.'"-]*$/;
This is about a classifieds website... I use PHP and MySql to insert records into a db.
I have a HTML form, and users must fill in this form to proceed.
Below is the form inputs and the validation made on each input (javascript):
Name (Only letters allowed)
Tel (Only numbers allowed)
Email (Special email-regexp match)
Headline (No special characters allowed, all else is fine. By special characters I mean !(#)<> etc. Max length 35 chars.)
Text (Same as headline, just no limit on length)
Price (Only numbers allowed)
I do mysql_real_escape_string() on the Headline and Text, but nothing else.
My question is simply, is this enough?
I have no other security measures whatsoever.
UPDATE
var alphaExp = /^[a-zA-ZåäöÅÄÖ\s\-]+$/;
var numExp = /^(?=(?:\D*\d){0})[\d -]{0,20}$/;
var num_only = /^[0-9]+$/;
var emailExp = /^[\w\-\.\+]+\@[a-zA-Z0-9\.\-]+\.[a-zA-z0-9]{2,4}$/;
var textExp = /^\s*([\wåäö\-\*][^\w]*){3}.*$/gmi;
var headlineExp = /^[\s\da-zA-ZåäöÅÄÖ&()+%\/*$€é:,.'"-]*$/;
- 4 What if a user turns off JavaScript? – Tim Pietzcker Commented Dec 6, 2010 at 17:55
- 3 "Special email-regexp match" terrifies me, since so many people get it wrong. And only allowing letters in the name is incorrect. – Ignacio Vazquez-Abrams Commented Dec 6, 2010 at 17:55
- The regexps are in the update... I was meaning generally, but check the regexps out if they are correct please... – user188962 Commented Dec 6, 2010 at 17:56
6 Answers
Reset to default 8All security measures that are implemented in Javascript can be circumvented by the user, for example by turning it off, by removing listeners or messing around with the code. Don't rely on the client there!
I have no other security measures whatsoever.
Security must be implemented in layers. Many times, programmers do not understand this because it's outside of their purview (most have the mantra "if it piles, ship it"). You must implement security at every reasonable point. You can never, ever trust user input especially if it sees with Wild Wild Web. Regular expression checks, known injection checks, and server and application hardening are essential.
Note that there is a reasonableness standard attached. It is sometimes easy to have security theater or overkill. It's up to you and the other project stakeholders to determine what levels of precaution are necessary to implement. Time and materials have costs associated with it, so if you spend $100,000 on security implementation but only get a $80,000 return, then it's self-defeating.
Everything that es from the user to be checked. JavaScript execution before the user sends it. I do not need to run your JavaScript code to send a POST request.
You shouldn't use MySQL Extension at all. It's 2010 and PDO is the way to go.
In almost all cases, the default answer to "Do I really need to..." when it es to security questions is "Yes, absolutely."
<?php
/* Execute a prepared statement by passing an array of values */
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();
$sth->execute(array('calories' => 175, 'colour' => 'yellow'));
$yellow = $sth->fetchAll();
?>
The code above is from this page in the PHP library. Don't bother with mysql_real_escape_string() anymore, and try to incorporate prepared statements with your SQL queries.
Lots of people here talk about bypassing your javascript but I want to go one step further and show you how it is done, since context makes all the difference. Here's one Firefox addon that I love to use when I do penetration testing or anything of the sort: Groundspeed.
As has been said a million times, client-side validations are good because you can use them to keep well-behaved users from hitting your server with bad requests, but every validation client-side must be mirrored server-side as well. And yes, prepared statements are your friend. Also, sanitize anything ing OUT of your database as well since that's a step a lot of people forget about.
本文标签: phpDo I need to check for sql injection even on validated inputsStack Overflow
版权声明:本文标题:php - Do I need to check for sql injection even on validated inputs? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741212748a2359452.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论