{"id":24481,"date":"2024-11-21T13:40:04","date_gmt":"2024-11-21T05:40:04","guid":{"rendered":"https:\/\/fwq.ai\/blog\/24481\/"},"modified":"2024-11-21T13:40:04","modified_gmt":"2024-11-21T05:40:04","slug":"thinkphp6%e5%ae%89%e5%85%a8%e9%98%b2%e6%8a%a4%e6%8c%87%e5%8d%97%ef%bc%9a%e9%a2%84%e9%98%b2%e5%b8%b8%e8%a7%81%e7%9a%84%e6%94%bb%e5%87%bb","status":"publish","type":"post","link":"https:\/\/fwq.ai\/blog\/24481\/","title":{"rendered":"ThinkPHP6\u5b89\u5168\u9632\u62a4\u6307\u5357\uff1a\u9884\u9632\u5e38\u89c1\u7684\u653b\u51fb"},"content":{"rendered":"

\"ThinkPHP6\u5b89\u5168\u9632\u62a4\u6307\u5357\uff1a\u9884\u9632\u5e38\u89c1\u7684\u653b\u51fb\u63d2\u56fe\"<\/p>\n

ThinkPHP6\u5b89\u5168\u9632\u62a4\u6307\u5357\uff1a\u9884\u9632\u5e38\u89c1\u7684\u653b\u51fb<\/p>\n

\u968f\u7740\u4e92\u8054\u7f51\u7684\u5feb\u901f\u53d1\u5c55\uff0c\u7f51\u7edc\u5b89\u5168\u95ee\u9898\u65e5\u76ca\u7a81\u51fa\uff0c\u5404\u79cd\u653b\u51fb\u624b\u6bb5\u4e5f\u5c42\u51fa\u4e0d\u7a77\u3002\u4f5c\u4e3a\u4e00\u6b3e\u5e7f\u53d7\u6b22\u8fce\u7684PHP\u5f00\u6e90\u6846\u67b6\uff0cThinkPHP6\u5728\u5b89\u5168\u6027\u65b9\u9762\u4e5f\u5f15\u8d77\u4e86\u5927\u5bb6\u7684\u5173\u6ce8\u3002\u672c\u6587\u5c06\u5206\u4eab\u4e00\u4e9b\u5e38\u89c1\u7684\u653b\u51fb\u624b\u6bb5\u4ee5\u53ca\u5728ThinkPHP6\u4e2d\u5982\u4f55\u8fdb\u884c\u76f8\u5e94\u7684\u5b89\u5168\u9632\u62a4\uff0c\u5e2e\u52a9\u5f00\u53d1\u8005\u63d0\u9ad8\u7cfb\u7edf\u7684\u5b89\u5168\u6027\u3002<\/p>\n

    \n
  1. SQL\u6ce8\u5165\u9632\u62a4<\/li>\n<\/ol>\n

    SQL\u6ce8\u5165\u662f\u6700\u5e38\u89c1\u7684\u653b\u51fb\u624b\u6bb5\u4e4b\u4e00\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u6076\u610f\u7684SQL\u8bed\u53e5\u6765\u83b7\u53d6\u3001\u4fee\u6539\u6216\u5220\u9664\u6570\u636e\u5e93\u4e2d\u7684\u6570\u636e\u3002\u5728ThinkPHP6\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528SQL\u8bed\u53e5\u7ed1\u5b9a\u53c2\u6570\u6216\u8005\u4f7f\u7528Query\u5bf9\u8c61\u6765\u9632\u6b62SQL\u6ce8\u5165\u3002\u4ee5\u4e0b\u662f\u4f7f\u7528\u7ed1\u5b9a\u53c2\u6570\u65b9\u5f0f\u7684\u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n

    use thinkacadeDb;\n\n$id = input('id');\n$sql = \"SELECT * FROM users WHERE id=:id\";\n$result = Db::query($sql, ['id'=&gt;$id]);<\/pre>\n
     \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
      \n
    1. XSS\u9632\u62a4<\/li>\n<\/ol>\n
      XSS\uff08Cross-Site Scripting\uff09\u653b\u51fb\u662f\u4e3a\u4e86\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u6076\u610f\u811a\u672c\uff0c\u901a\u8fc7\u7be1\u6539\u7f51\u9875\u5185\u5bb9\u6765\u5b9e\u73b0\u653b\u51fb\u76ee\u7684\u3002\u4e3a\u4e86\u9632\u6b62XSS\u653b\u51fb\uff0cThinkPHP6\u63d0\u4f9b\u4e86XSS\u8fc7\u6ee4\u5668\u548c\u8f6c\u7801\u65b9\u6cd5\u3002\u4ee5\u4e0b\u662f\u4f7f\u7528\u8f93\u51fa\u8fc7\u6ee4\u5668\u7684\u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n
      \u7acb\u5373\u5b66\u4e60<\/span>\u201c\u201d\uff1b<\/p>\n
      use thinkhelperStr;\n\n$content = input('content');\necho Str::removeXss($content);<\/pre>\n
       \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
        \n
      1. CSRF\u9632\u62a4<\/li>\n<\/ol>\n
        CSRF\uff08Cross-Site Request Forgery\uff09\u653b\u51fb\u662f\u6307\u653b\u51fb\u8005\u901a\u8fc7\u4f2a\u9020\u8bf7\u6c42\u6765\u6267\u884c\u672a\u7ecf\u7528\u6237\u540c\u610f\u7684\u64cd\u4f5c\u3002ThinkPHP6\u63d0\u4f9b\u4e86\u5185\u7f6e\u7684CSRF\u9632\u62a4\u673a\u5236\uff0c\u53ea\u9700\u8981\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u5f00\u542fCSRF\u4ee4\u724c\u5373\u53ef\u5b9e\u73b0\u9632\u62a4\u3002\u4ee5\u4e0b\u662f\u5f00\u542fCSRF\u4ee4\u724c\u7684\u914d\u7f6e\u793a\u4f8b\uff1a<\/p>\n
        \/\/config\/app.php\n'csrf' =&gt; [\n    'token_on' =&gt; true,\n],<\/pre>\n
         \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
        \u7136\u540e\u5728\u8868\u5355\u4e2d\u6dfb\u52a0CSRF\u4ee4\u724c\u5b57\u6bb5\uff1a<\/p>\n
        <\/pre>\n
         \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
          \n
        1. \u6587\u4ef6\u4e0a\u4f20\u5b89\u5168\u9632\u62a4<\/li>\n<\/ol>\n
          \u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u7ecf\u5e38\u88ab\u653b\u51fb\u8005\u7528\u6765\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\uff0c\u4ece\u800c\u5bf9\u7cfb\u7edf\u9020\u6210\u5a01\u80c1\u3002ThinkPHP6\u901a\u8fc7\u5bf9\u4e0a\u4f20\u6587\u4ef6\u7684\u7c7b\u578b\u3001\u5927\u5c0f\u3001\u8def\u5f84\u8fdb\u884c\u9650\u5236\u6765\u589e\u5f3a\u6587\u4ef6\u4e0a\u4f20\u7684\u5b89\u5168\u6027\u3002\u4ee5\u4e0b\u662f\u6587\u4ef6\u4e0a\u4f20\u5b89\u5168\u9632\u62a4\u7684\u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n
          use thinkacadeFilesystem;\n\n$file = $request-&gt;file('image');\n$savePath = 'uploads\/';\n$info = $file-&gt;validate(['size'=&gt;102400,'ext'=&gt;'jpg,png,gif'])-&gt;move($savePath);\nif($info){\n    $filePath = $savePath.$info-&gt;getSaveName();\n    \/\/\u6587\u4ef6\u4fdd\u5b58\u6210\u529f\n} else {\n    \/\/\u6587\u4ef6\u4e0a\u4f20\u5931\u8d25\n    echo $file-&gt;getError();\n}<\/pre>\n
           \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
            \n
          1. URL\u5b89\u5168\u9632\u62a4<\/li>\n<\/ol>\n
            URL\u5b89\u5168\u662f\u4fdd\u62a4\u7f51\u7ad9\u514d\u53d7URL\u76f8\u5173\u7684\u653b\u51fb\u7684\u91cd\u8981\u4e00\u73af\u3002\u5728ThinkPHP6\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528URL\u91cd\u5199\u3001URL\u8def\u7531\u7b49\u65b9\u5f0f\u6765\u589e\u5f3aURL\u7684\u5b89\u5168\u6027\u3002\u4ee5\u4e0b\u662f\u4f7f\u7528URL\u91cd\u5199\u548cURL\u8def\u7531\u7684\u4ee3\u7801\u793a\u4f8b\uff1a<\/p>\n
            \/\/config\/route.php\nRoute::rule('user\/:id', 'index\/user\/show');\n\n\/\/index\/user.php\nnamespace appindexcontroller;\n\nclass User\n{\n    public function show($id)\n    {\n        \/\/\u5904\u7406\u7528\u6237\u4fe1\u606f\u5c55\u793a\n    }\n}<\/pre>\n
             \u767b\u5f55\u540e\u590d\u5236 <\/p>\n
            \u901a\u8fc7\u4ee5\u4e0a\u9632\u62a4\u63aa\u65bd\uff0c\u6211\u4eec\u53ef\u4ee5\u6709\u6548\u5730\u9884\u9632\u5e38\u89c1\u7684\u653b\u51fb\u624b\u6bb5\uff0c\u63d0\u9ad8\u7cfb\u7edf\u7684\u5b89\u5168\u6027\u3002\u4f46\u662f\u5b89\u5168\u5de5\u4f5c\u6c38\u8fdc\u4e0d\u4f1a\u7ec8\u6b62\uff0c\u6211\u4eec\u8fd8\u9700\u8981\u5b9a\u671f\u66f4\u65b0\u6846\u67b6\u548c\u4f9d\u8d56\u5e93\uff0c\u53ca\u65f6\u4fee\u590d\u5b89\u5168\u6f0f\u6d1e\u3002\u540c\u65f6\uff0c\u5f00\u53d1\u8005\u4e5f\u5e94\u52a0\u5f3a\u5bf9\u5b89\u5168\u77e5\u8bc6\u7684\u5b66\u4e60\u548c\u4e86\u89e3\uff0c\u52a0\u5f3a\u5bf9\u4ee3\u7801\u7684\u5ba1\u67e5\u548c\u9a8c\u8bc1\uff0c\u4ece\u800c\u63d0\u9ad8\u7cfb\u7edf\u7684\u6574\u4f53\u5b89\u5168\u6027\u3002<\/p>\n
            \u603b\u800c\u8a00\u4e4b\uff0cThinkPHP6\u4e3a\u6211\u4eec\u63d0\u4f9b\u4e86\u4e00\u7cfb\u5217\u7684\u5b89\u5168\u9632\u62a4\u63aa\u65bd\uff0c\u6211\u4eec\u53ea\u9700\u8981\u6b63\u786e\u5730\u4f7f\u7528\u8fd9\u4e9b\u63aa\u65bd\uff0c\u624d\u80fd\u66f4\u597d\u5730\u4fdd\u62a4\u6211\u4eec\u7684\u5e94\u7528\u548c\u6570\u636e\u5b89\u5168\u3002\u5e0c\u671b\u672c\u6587\u5bf9\u5927\u5bb6\u5728ThinkPHP6\u5b89\u5168\u9632\u62a4\u65b9\u9762\u6709\u6240\u5e2e\u52a9\u3002<\/p>\n
            \u4ee5\u4e0a\u5c31\u662fThinkPHP6\u5b89\u5168\u9632\u62a4\u6307\u5357\uff1a\u9884\u9632\u5e38\u89c1\u7684\u653b\u51fb\u7684\u8be6\u7ec6\u5185\u5bb9\uff0c\u66f4\u591a\u8bf7\u5173\u6ce8\u7c73\u4e91\u5176\u5b83\u76f8\u5173\u6587\u7ae0\uff01<\/p>\n","protected":false},"excerpt":{"rendered":"
            ThinkPHP6\u5b89\u5168\u9632\u62a4\u6307\u5357\uff1a\u9884\u9632\u5e38\u89c1\u7684\u653b\u51fb \u968f\u7740\u4e92\u8054\u7f51\u7684\u5feb\u901f\u53d1\u5c55\uff0c\u7f51\u7edc\u5b89\u5168\u95ee\u9898\u65e5\u76ca\u7a81\u51fa\uff0c\u5404\u79cd\u653b\u51fb\u624b\u6bb5\u4e5f\u5c42\u51fa\u4e0d\u7a77\u3002\u4f5c\u4e3a\u4e00\u6b3e\u5e7f\u53d7\u6b22\u8fce\u7684PHP\u5f00\u6e90\u6846\u67b6\uff0cThinkPHP6\u5728\u5b89\u5168\u6027\u65b9\u9762\u4e5f\u5f15\u8d77\u4e86\u5927\u5bb6\u7684\u5173\u6ce8\u3002\u672c\u6587\u5c06\u5206\u4eab\u4e00\u4e9b\u5e38\u89c1\u7684\u653b\u51fb\u624b\u6bb5\u4ee5\u53ca\u5728ThinkPHP6\u4e2d\u5982\u4f55\u8fdb\u884c\u76f8\u5e94\u7684\u5b89\u5168\u9632\u62a4\uff0c\u5e2e\u52a9\u5f00\u53d1\u8005\u63d0\u9ad8\u7cfb\u7edf\u7684\u5b89\u5168\u6027\u3002 SQL\u6ce8\u5165\u9632\u62a4 SQL\u6ce8\u5165\u662f\u6700\u5e38\u89c1\u7684\u653b\u51fb\u624b\u6bb5\u4e4b\u4e00\uff0c\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u6076\u610f\u7684SQL\u8bed\u53e5\u6765\u83b7\u53d6\u3001\u4fee\u6539\u6216\u5220\u9664\u6570\u636e\u5e93\u4e2d\u7684\u6570\u636e\u3002\u5728ThinkPHP6\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u4f7f\u7528SQL\u8bed\u53e5\u7ed1\u5b9a\u53c2\u6570\u6216\u8005\u4f7f\u7528Query\u5bf9\u8c61\u6765\u9632\u6b62SQL\u6ce8\u5165\u3002\u4ee5\u4e0b\u662f\u4f7f\u7528\u7ed1\u5b9a\u53c2\u6570\u65b9\u5f0f\u7684\u4ee3\u7801\u793a\u4f8b\uff1a use thinkacadeDb; $id = input(‘id’); $sql = “SELECT * FROM users WHERE id=:id”; $result = Db::query($sql, [‘id’=&gt;$id]); \u767b\u5f55\u540e\u590d\u5236 XSS\u9632\u62a4 XSS\uff08Cross-Site Scripting\uff09\u653b\u51fb\u662f\u4e3a\u4e86\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884c\u6076\u610f\u811a\u672c\uff0c\u901a\u8fc7\u7be1\u6539\u7f51\u9875\u5185\u5bb9\u6765\u5b9e\u73b0\u653b\u51fb\u76ee\u7684\u3002\u4e3a\u4e86\u9632\u6b62XSS\u653b\u51fb\uff0cThinkPHP6\u63d0\u4f9b\u4e86XSS\u8fc7\u6ee4\u5668\u548c\u8f6c\u7801\u65b9\u6cd5\u3002\u4ee5\u4e0b\u662f\u4f7f\u7528\u8f93\u51fa\u8fc7\u6ee4\u5668\u7684\u4ee3\u7801\u793a\u4f8b\uff1a \u7acb\u5373\u5b66\u4e60\u201c\u201d\uff1b use thinkhelperStr; $content = input(‘content’); echo Str::removeXss($content); \u767b\u5f55\u540e\u590d\u5236 CSRF\u9632\u62a4 CSRF\uff08Cross-Site Request Forgery\uff09\u653b\u51fb\u662f\u6307\u653b\u51fb\u8005\u901a\u8fc7\u4f2a\u9020\u8bf7\u6c42\u6765\u6267\u884c\u672a\u7ecf\u7528\u6237\u540c\u610f\u7684\u64cd\u4f5c\u3002ThinkPHP6\u63d0\u4f9b\u4e86\u5185\u7f6e\u7684CSRF\u9632\u62a4\u673a\u5236\uff0c\u53ea\u9700\u8981\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u5f00\u542fCSRF\u4ee4\u724c\u5373\u53ef\u5b9e\u73b0\u9632\u62a4\u3002\u4ee5\u4e0b\u662f\u5f00\u542fCSRF\u4ee4\u724c\u7684\u914d\u7f6e\u793a\u4f8b\uff1a \/\/config\/app.php ‘csrf’ =&gt; [ ‘token_on’ =&gt; true, ], \u767b\u5f55\u540e\u590d\u5236 \u7136\u540e\u5728\u8868\u5355\u4e2d\u6dfb\u52a0CSRF\u4ee4\u724c\u5b57\u6bb5\uff1a \u767b\u5f55\u540e\u590d\u5236 \u6587\u4ef6\u4e0a\u4f20\u5b89\u5168\u9632\u62a4 \u6587\u4ef6\u4e0a\u4f20\u529f\u80fd\u7ecf\u5e38\u88ab\u653b\u51fb\u8005\u7528\u6765\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\uff0c\u4ece\u800c\u5bf9\u7cfb\u7edf\u9020\u6210\u5a01\u80c1\u3002ThinkPHP6\u901a\u8fc7\u5bf9\u4e0a\u4f20\u6587\u4ef6\u7684\u7c7b\u578b\u3001\u5927\u5c0f\u3001\u8def\u5f84\u8fdb\u884c\u9650\u5236\u6765\u589e\u5f3a\u6587\u4ef6\u4e0a\u4f20\u7684\u5b89\u5168\u6027\u3002\u4ee5\u4e0b\u662f\u6587\u4ef6\u4e0a\u4f20\u5b89\u5168\u9632\u62a4\u7684\u4ee3\u7801\u793a\u4f8b\uff1a use thinkacadeFilesystem; $file = […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"class_list":["post-24481","post","type-post","status-publish","format-standard","hentry","category-16"],"_links":{"self":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/24481","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/comments?post=24481"}],"version-history":[{"count":0,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/posts\/24481\/revisions"}],"wp:attachment":[{"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/media?parent=24481"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/categories?post=24481"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fwq.ai\/blog\/wp-json\/wp\/v2\/tags?post=24481"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}