Common Syntax within XSS & SQLI

https://stackoverflow.com/questions/14389791

16-01-2022
|

質問

I'm creating a function which will check over a string (once the string is sent through the function) for common syntax used within SQLI and XSS Attacks; The problem is, that i know only some.. But not them all, So I was wondering if the people here on SO will beable to give me some information/syntax on the common uses for these types of attacks.

my code follows below:

function CleanInput ($Arg)
{
    foreach (array("@", "<", ">", "'", "|", "/", "\\", "-", "+", "-", "_", "'") as $value)
    {
        $check = strpos($Arg, $value);
        if ($check !== false)
        {
            return true;
        }
    }
    return false;
}

解決

Input is not inherently "clean" or "unclean". Treating it as if it is (like you're doing here) is a fast track to weird functionality problems and security holes.

Instead, keep in mind at all times where you are sending data (whether it's user input or not!), and make sure to modify data in a way appropriate to the output. For instance:

When sending data to SQL, use bound parameters if possible. If not, apply SQL escaping right before you interpolate data into the query.
When outputting HTML, use an appropriate HTML escaping function (like htmlspecialchars()) at the point where your data is combined with other HTML.
When generating JSON, use json_encode(). No exceptions.
When creating a shell command, use a shell escaping function to include non-constant data.

In general: Escape data on output, not on input.

ライセンス： CC-BY-SA と帰属

所属していません StackOverflow