To start, please pardon my ignorance, I'm not a programmer but rather a student research assistant who happens to need to write some programs.
Right now I'm working on a page that will take user input (eventually will be guesses in a guessing game) and store it in a csv file. The tech guy here warned me about the danger of sql injection and cross site scripting, so I googled them as well as strategies for protection. But it looks like there are MANY strategies, and I'm having a hard time understanding which ones I need to use. For instance, do I even need to be worried about sql injection if I'm not using sql? Am I using sql and I just don't know it? Would it be sufficient to strip all non-alphabet characters from the input using javascript (I really don't need them)?
Can someone please tell me: Which protection strategies do I need to use, given what I'm trying to do?
If it helps, here is my code so far. I'm trying to use Ajax, so I have the following components:
A. HTML: presents text box and buttons to write the input into the csv file (one to write to the same line, one to write to a new line).
<input id="input" type="text"><br> <input type="button" onClick="javascript:writeToFile(0, document.getElementById('input').value)" value="write on same line"><br> <input type="button" onClick="javascript:writeToFile(1,document.getElementById('input').value)" value="write on new line"><br>
B. Javascript: Creates an XMLHttpRequest object, opens it with post and specifies the php script, and sends it along with a the user inputted string (I didn't include a callback function here because I'm not changing the html page in response, but if I need one let me know).
function createRequestObject() { var ro; var browser = navigator.appName; if(browser == "Microsoft Internet Explorer") { ro = new ActiveXObject("Microsoft.XMLHTTP"); } else { ro = new XMLHttpRequest(); } return ro; } function writeToFile(newline, content) { var ajaxRO = createRequestObject(); content+=", " var params="newline=" + newline + "&content=" + content ajaxRO.open("POST", "writer2.php", true); ajaxRO.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); ajaxRO.send(params); }
C. PHP: Retrieves the variables from Post (the first tells it if a new line is needed, the second tells it what to write)
<?php $myFile = "re开发者_运维技巧sults.csv"; $fh = fopen($myFile, 'a') or die("can't open file"); $toWrite = $_POST['content']; $newLine = $_POST['newline']; if($newLine==1) { fwrite($fh, "\n"); fwrite($fh, $toWrite); fclose($fh); } else { fwrite($fh, $toWrite); fclose($fh); } ?>
Thanks so much for any information you can provide!
I'm not sure why you posted HTML/JavaScript thats not really where the problems are. XSS and SQL Injection are a server side problem and you should post PHP code if you need help.(Putting DOM Based XSS aside because its so uncommon).
For SQL Injection you should always use parametrized quires. PDO and ADOB are both good libraries for this.
Cross-Site Scripting defense is a lot more complex. You can't just throw htmlspeicalchars($var,ENT_QUOTES)
at every variable you print out and expect to be safe. This is a good practice but should also make sure to TEST EVERYTHING. I suggest using a free service like Sitewatch which will test for xss, sql injection and a lot more. Or you could use Acunetix's free xss scanner.
In terms of the CSV file, thats just slow and cumbersome. You should be using a database for this. If you need to serve the csv file you can select out what you need and print it with PHP.
Validating your input in the server is what you should be doing. Since you're writing to a CSV file, your PHP code should look for commas and new-lines and maybe replace them with spaces or issue an error message back to the user. Also, think about the maximum length that you can accept as input.
After collecting the input, if you display the collected data as output in a page, you should HTML encode it.
This is just the tip of the iceberg, though. Security is never a solved problem, you're just raising the bar for potential attackers.
Your code isn't vulnerable to Cross Site Scripting, and you aren't using SQL, only plain text.
But, watch out for another vulnerability called Cross Site Request Forgery. You must add a token value in the form:
$_SESSION['token'] = md5(rand()); if($_SESSION['token'] != $_POST['token']){ echo 'Invalid Request!'; } else{ //valid request! }
精彩评论