我的PHP脚本通过$ _POST接收数组。该数组具有(或预期具有)以下格式:
array (
0 =>
array (
'Datum' =>
array (
0 => '2016-11-29',
1 => '2016-11-29',
2 => '2016-11-29',
),
'VK' =>
array (
0 => '18 Worker',
1 => '1 Other Worker',
2 => '11 One more worker',
),
'Dienstbeginn' =>
array (
0 => '08:00',
1 => '08:00',
2 => '08:30',
),
'Dienstende' =>
array (
0 => '14:00',
1 => '16:30',
2 => '16:00',
),
'Mittagsbeginn' =>
array (
0 => '',
1 => '11:30',
2 => '12:00',
),
'Mittagsende' =>
array (
0 => '',
1 => '12:00',
2 => '12:30',
),
'Kommentar' =>
array (
0 => '',
1 => '',
2 => '',
),
),
)
我有一个函数将用户数据写入我自己的变量,并将空白输入转换为NULL值,以便存储数据库。
foreach ($_POST['Dienstplan'] as $plan => $inhalt_tag) {
foreach ($inhalt_tag as $column => $lines) {
foreach ($lines as $linenumber => $line) {
if ($line === '') {
//Empty fields should be inserted as null values inside the database.
//TODO: Should we make an exeption for Comments?
$line = 'null';
}
//TODO: Is it a security issue, that we use $column and $linenumber directly? Do we have to sanitize those?
$Dienstplan[$plan][$column][$linenumber] = sanitize_user_input($line);
}
}
}
function sanitize_user_input($data) {
$clean_data = htmlspecialchars(stripslashes(trim($data)));
return $clean_data;
}
这种方法有多安全?在这种情况下,我可以信任$ plan,$ column和$ linenumber吗?第一点是什么,攻击者可以使用它来破坏事物?
答案 0 :(得分:1)
此方法的安全性如何?我可以相信在这种情况下可以保存$ plan,$ column和$ linenumber吗?
不。您在多层中使用了错误的工具。
如果您要验证结构化输入(例如,为了确保类型安全并强制执行输入白名单),请签出Ionizer。