我正在编写一个小问答网络应用程序,允许互联网用户提交问题的答案(只能提交答案,而不是问题) .
我已经积极尝试解决有效负载( strlen() ),XSS( htmlspecialchars() ),SQL注入( prepare() )的权重,并且用户正在提交对实际存在的问题的答案(通过执行 SELECT 查询"behind the scenes") .
public function submitAnswer($qid, $payload) {
// escape/sanitize input
$answer = htmlspecialchars($payload, ENT_QUOTES);
$unix_time = time();
$qid = preg_replace('/\D/', '', $qid);
// get length of question from db
$this->sth = $this->dbh->prepare("SELECT question, LENGTH(question) as length FROM questions where id = :id");
$this->sth->execute(array(':id' => $qid));
$this->sth->bindColumn('length', $q_length);
$result = $this->sth->fetch(PDO::FETCH_BOUND);
// make sure question exists and check the combined length of q & a
if ($result && ($q_length + strlen($answer) < 130)) {
try {
$this->hsth = $this->dbh->prepare("INSERT INTO answers (unix_time, qid, answer) values ($unix_time, :qid, :answer)");
$this->sth->execute(array(
':qid' => $qid,
':answer' => $answer
));
return array('status' => '0', 'unix_time' => $unix_time, 'qid' => $qid, 'length' => strlen($answer));
} catch (PDOException $e) {
return array('status' => '1', 'unix_time' => time(), 'message' => 'db error');
}
} else {
return array('status' => '1', 'unix_time' => time(), 'message' => 'invalid input');
}
}
更准确地说,这些函数( htmlspecialchars() 和 prepare() )是否提供足够的XSS和SQL注入保护?