当前位置: 首页 » php

PHP: PDO (SQLite) user input

I'm writing a litle Q&A webapp which will allow Internet users to submit answers to questions (only answers can be submitted, not questions). I'd like your thoughts on my method that receives the user input and inserts it into the database, mainly from a security point of view. I've actively tried to address the weight of the payload ( strlen() ), XSS ( htmlspecialchars() ), SQ

2018-06-07 00:53:14

PHP:PDO(SQLite)用户输入

我正在写一个小问答网络应用程序,它将允许互联网用户提交问题的答案(只能提交答案,而不是问题)。 我希望对接收用户输入的方法有所想法,并将其插入数据库中,主要是从安全角度考虑。 我已经积极地尝试解决有效负载( strlen() ),XSS( htmlspecialchars() ),SQL注入( prepare() )的权重,并且用户正在提交对实际存在的问题的答案(通过执行一个SELECT查询“幕后”)。 public function submitAnswer($qid, $payload)

2018-06-07 00:53:14

Do I need to sanitize the user input Laravel

I am using Laravel 4 with Eloquent. When I get the user input I just use $name=Input::get('name') and then I do $a->name=$name; I don't know if the function Input::get protect me from SQL Injection and XSS. If it does not, what do I have to do to sanitize the input? And, when I show the value in my view, shall I use {{$a}} or {{{$a}}} Greetings and thanks. Laravel uses PD

2018-06-07 00:52:12

我需要清理用户输入Laravel吗?

我使用Laravel 4与雄辩。 当我得到用户输入时,我只使用$name=Input::get('name') ,然后我做$a->name=$name; 我不知道Input::get函数是否Input::get保护我免受SQL注入和XSS的攻击。 如果没有,我需要做些什么来消毒输入? 而且,当我以我的观点显示价值时,我是否应使用{{$a}}或{{{$a}}} 问候和感谢。 Laravel使用PDO的参数绑定,所以SQL注入不是你应该担心的。 你应该阅读这个。 Input :: get()不会

2018-06-07 00:52:11

PHP input sanitizer?

What are some good PHP html (input) sanitizers? Preferably, if something is built in - I'd like to us that. UPDATE : Per the request, via comments, input should not allow HTML (and obviously prevent XSS & SQL Injection, etc). html净化器 - > http://htmlpurifier.org/ I've always used PHP's addslashes() and stripslashes() functions, but I also just saw the built-in filter

2018-06-07 00:49:05

PHP输入消毒剂?

什么是一些很好的PHP html(输入)消毒剂? 最好是,如果内置了某些东西 - 我想给我们提供。 更新 : 按照要求,通过评论,输入不应该让HTML(显然防止XSS和SQL注入等)。 html净化器 - > http://htmlpurifier.org/ 我一直使用PHP的addslashes()和stripslashes()函数,但我也只是看到了内置的filter_var()函数(链接)。 看起来像有不少内置过滤器。 如果你想运行一个使用的查询,比如说$_GET['user

2018-06-07 00:49:05

Keeping track of failed login attempts

This question is essentially language-agnostic, but in my case I'm using PHP for anyone who wants to know. I would like to keep track of the number of failed login attempts a user had, so that after X failed attempts a CAPTCHA is displayed. The only purpuse this would have is preventing brute-force attacks. It doesn't have to be an extremely secure way, just annoying enough to delay w

2018-06-07 00:35:39

跟踪失败的登录尝试

这个问题基本上是语言不可知的,但在我的情况下,我使用PHP为任何想知道的人。 我想跟踪用户失败的登录尝试次数,以便在X失败尝试后显示验证码。 唯一的办法就是防止暴力攻击。 它不一定是一个非常安全的方式,只是令人讨厌,无法推迟那些蛮横的人。 我正在考虑创建会话变量$_SESSION['failedLoginAttempts']并在每次检测到失败的登录尝试时增加它。 攻击者仍然可以替换浏览器或者删除他的cookies来继续前进,但

2018-06-07 00:35:39

How to secure database passwords in PHP?

When a PHP application makes a database connection it of course generally needs to pass a login and password. If I'm using a single, minimum-permission login for my application, then the PHP needs to know that login and password somewhere. What is the best way to secure that password? It seems like just writing it in the PHP code isn't a good idea. Several people misread this as a qu

2018-06-07 00:28:22

如何在PHP中保护数据库密码?

当PHP应用程序建立数据库连接时,通常需要传递登录名和密码。 如果我为我的应用程序使用单一的最小权限登录,那么PHP需要知道某处的登录名和密码。 什么是保护密码的最佳方式? 它似乎只是写在PHP代码不是一个好主意。 有几个人误解这是关于如何在数据库中存储密码的问题。 那是错的。 这是关于如何存储可以访问数据库的密码。 通常的解决方案是将密码从源代码移出到配置文件中。 然后保留管理并将该配置文件保存到系

2018-06-07 00:28:22

How to hash long passwords (>72 characters) with blowfish

The last week I read a lot articles about password hashing and Blowfish seems to be (one of) the best hashing algorithm right now - but that's not the topic of this question! The 72 character limit Blowfish only consider the first 72 characters in the entered password: <?php $password = "Wow. This is a super secret and super, super long password. Let's add some special ch4r4ct3rs a#d

2018-06-07 00:26:18

如何用长嘴鳕来散列长密码(> 72个字符)

上周我读了很多关于密码散列的文章,Blowfish似乎是(现在)最好的散列算法之一 - 但这不是这个问题的主题! 72个字符限制 河豚只考虑输入密码中的前72个字符: <?php $password = "Wow. This is a super secret and super, super long password. Let's add some special ch4r4ct3rs a#d everything is fine :)"; $hash = password_hash($password, PASSWORD_BCRYPT); var_dump($password); $input = substr($password,

2018-06-07 00:26:18

Best practices for hashing a password without using SSL

I know this question sounds like it might already be answered but stay with me. I have a website that needs users to sign up and log in. In this process, lets take sign up the user would provide a username and password, the system will check the information and then POST to itself for the PHP script to salt and hash the password before storing it in the database. Now i thought this was safe, s

2018-06-07 00:23:11

不使用SSL散列密码的最佳做法

我知道这个问题听起来好像已经可以回答,但留在我身边。 我有一个网站,需要用户注册并登录。在这个过程中,让我们注册用户将提供一个用户名和密码,系统将检查信息,然后POST自己的PHP脚本盐和散列将密码存储在数据库中之前。 现在,我认为这是安全的,盐和散列密码总是最好的做法,但最近我想过这是如何发生的,数据必须发送到服务器才可以被哈希,因为我不使用SSL用户名和密码都是未加密的,所以我认为这些信息是以纯文本

2018-06-07 00:23:11

MD5, password hashing and salt position

Before i start, i know the MD5 is compromised (collision attack and speed of hashing) and shouldn't be used to hash passwords, but just for the sake of it, bear with me. My questions are: How does the salt position when hashing with md5 affects the "quality" or the "strength" of the hash? Say i have the the following piece of code, which hashes a users password using p

2018-06-07 00:13:52

MD5,密码散列和盐位置

在我开始之前,我知道MD5已经被攻破(碰撞攻击和散列速度),不应该用来散列密码,但只是为了它,忍受着我。 我的问题是:当用md5散列时,盐的位置如何影响散列的“质量”或“强度”? 假设我有以下一段代码,它使用他的电子邮件地址的一部分作为盐散列用户密码: <?php $email = 'user@emailservice.ex'; $password = 'RandomPassWithChars'; $segments = explode('@', $email); list($saltPart1, $saltPar

2018-06-07 00:13:51

How can I store my users' passwords safely?

How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP. $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '$password'"); if (mysql_

2018-06-06 23:51:04

我怎样才能安全地存储我的用户密码?

这比普通的MD5更安全吗? 我刚开始研究密码安全。 我对PHP很新。 $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."' AND password = '$password'"); if (mysql_num_rows($result) < 1) { /* Access denied */ echo "T

2018-06-06 23:51:04

angle bracket mysql php

This question already has an answer here: php echoing angle brackets 4 answers The output of from_addr will be there if you are receiving results from your query. Take a look at this example: $string = '<hello world>'; echo $string; echo htmlspecialchars('<hello world>'); Whereas, echo $string will show in the source code, but is being treated as a tag, and therefore not displ

2018-06-06 23:08:30

角度支架MySQL的PHP

这个问题在这里已经有了答案: php回显尖括号4个答案 如果您从查询中收到结果,则from_addr的输出将在那里。 看看这个例子: $string = '<hello world>'; echo $string; echo htmlspecialchars('<hello world>'); 而echo $string将显示在源代码中,但被视为标签,因此不会在屏幕上显示。 使用htmlspecialchars()会将< >更改为&lt; &gt; &lt; &gt; 这将显示“屏幕上”。 看起来你正

2018-06-06 23:08:30