PHP如何转义pgp公钥以插入数据库

Question

编辑:

对于任何想知道我最终如何实现这一目标的人，我意识到我不应该再做个白痴，而是现在接受用户输入并将其导入钥匙串(keychain)。从导入中，它会提取用于将来签名的指纹。

参见:http://php.net/manual/en/ref.gnupg.php

如果它不适合您，请确保 php/nginx/apache 具有存储 key 的文件夹的权限。 (/home/you/.gnupg)

在我们的网站上，我们接受 PGP 公钥，以便加密发送给用户的电子邮件，到目前为止，我们还没有费心逃脱，因为它仍处于封闭测试阶段。

显然，当我们将其插入数据库时​​，我们不希望留下任何漏洞，但如何在保持 key 完整性的同时避开它？

公钥示例:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (MingW32)

mQGNBFQPofkBDAC7+1uvxtEwEzaRk9Ef+z7Ja74BxjpiSPZH9yC7Xdhp1l9RjhHz
fhOOcY+WphLijudEFFUkKpoK3/Q8DH7qfP3wnlKDxZbZMkpVyDS8ZQo05rqAI8wy
Ra8dmPQOKYirfHXoTccRh2AUfeIYH+6Cm8j8PRFbCXWO8ibyysawFvudyuY1GRmn
8/q2a9NTLmFOjRY4R4W3ly8Ix2JRQcBDfmJYlUO8q0aMb8mRtyNWqT72sr9SmFIX
3QE3XtCYygPMG0/xn2rEA/7MH7n28M0rTcj3nECwv978RFossmxt4MsqCuqxQzNL
LYn8ckL9EIcsvL0tFNQeFUfP+pwB1PV2TbsrTuYECtRXH2uGQOITRoPnvdD1cW7W
YsyQ2ws+D9YlKQ4SFtfMHPo/6BrPt8BLcuo8kjlqSPH+KCrOxfC6WTCfdGY2JcMF
+LVjrtrCVhZOq+E7p0wv/DI8D4NP4jDb7t0JOOWbQXjYH8cUcKPcI5wgdkoeL4BH
hOI4rEX+1/morIMAEQEAAbQwV2lsbGlhbSBEdW5uZSAoTWltZXggRlMgTFREKSA8
d2lsbGlhbUBtaW1leC5uZXQ+iQG5BBMBAgAjBQJUD6H5AhsDBwsJCAcDAgEGFQgC
CQoLBBYCAwECHgECF4AACgkQXGTM66ZI00+QOQv9GgAppfDTgutFflMqewIdgLga
+aE+8EFRA8IEtwy1Cu9vKjKGjA05uUk0uJJR3LGkrPAKbHI6uISPR6DbpwrFxf8R
/JNPOGwMgSDN83RY+0n5sbYZOEu7Npkw2g5zyBj66weeiCk2ozm3UdKPj6u+AP8Q
iz5cnzu3AbJH5l5kcfkkdZSNIjdXdjff7I3NUXC91/CXjo4DYBUdHyD5v0JRBSoq
ZS8BzXw0TBWXSMiB4iD2m1nXgFWt6i95Yho/QB1Gy1dOWL6u8MvSvMDrA1JKJtZT
T7cCAGYmS4Rpz7PKFH0mntNEm5fW6yUMnfT+PqB7fhdJh2mLscCHnu6Z5pUhQJRw
lGrzWnLMFdWqozgiNU0bKu942pLWN8fSF4HUEEld+krpl6NUJNDtCjBW72ssXl4j
Av9Y9VfDhKBKTyeq3gJZEJ0WIS6Wkxu/CqnCUTiXMsy+yxEvlINM3F34isowCiFy
FL1x3xFnKNhYLoaqKuhy06WTE0KrruCpUxvw+rwVuQGNBFQPofkBDACeldHZBjjH
vfKi1xYIsr7JZ/AUfIU55QAJyVV0eVmI8BkGjfQtxSYsjMUx9ioieN3H9ILjhuya
slgLk7OKDVfpg8U0S2qmJCsM1oU7EWVJr2h3lMw0wwmGcgkMvfIkNvZxsylSak1o
60aiFEomrnQx+grb8L12MIUbsSpTmcGM/3B+V8/xxmBtprhl3Re+sRc2HAKNXpZY
Tzx+IfUMckEov9T9ZJzx1Fh9SoUwNqCDoV8PCJSzhqQ4GMdP7Xy9fGz1a+NMdJW0
seuupIt8MxO9Mj1Sek0Pxqg2EIepULz5u/h+l8yttOvVF6OZZJjEQOjlsMFQ2FJb
BLNdYXRVeVcPWu/5tHX3zj4/4Kz6dSxWM3xMjIOD1xSdwrKZeP/wGyE8VVRST7pq
IJjKnGfT7tTv9sg6cxDyygGnbys720AOrXNT9GXsSQckALKCU1wBIUn5jLPU1ldp
VsWkkzzacOBHdWB8CJ6MArmEgdQ5s/fpinXkRSkRDuC7SvQx2yvy9QsAEQEAAYkB
nwQYAQIACQUCVA+h+QIbDAAKCRBcZMzrpkjTT/nqC/93Hy0qcElo3+urbqKxzlf/
e/28uOWTgGmX5bba5bpZAdh/0o5yHSB+yaVeSKUdUPgT18ft9Vlwmy8GPLgapyb6
3h6+7hOIrPd9BApI2aNAM+QmB98o47s0pUujJ8CPAVYKXaIuLMFuAUhT2kmL4C8C
JeyS7Z5+MzT3BHR+hJBQE+5nKsEVbd6pysk5Bz6rPFi17cjmDnB/tc84beAlL7jb
mAEEIdNr93xERYZC0eln72oEIwvJaG/45oxeJu9egDqeGJZ0r77AnmGe8AUcw2Wa
AXiHSV49OVFoPuC+iCXr4Ff/pNmS4UACoobqITdN+OZobaCmLPIivnGaWBci4NEU
AfWJ/GnqIeRCCHQ7Z3A+BmkiHy87g17dYkN9kRyyGFLrAGa/UJahXQN/IyiQcjGT
C/o9CCB5A9eZ8XYwTryiNPWfc6vL8UUs/ROVpBGK8WDmgnQblyQ21e6sdsN/LXs8
Z/rBQvdw18Dh8Ig//LeFINmpDtHX7EIg3k/Qdph7pHE=
=mi2n
-----END PGP PUBLIC KEY BLOCK-----

Answer 1

如果你参数化，那么你根本不用担心转义。

$pgp = file_get_contents('mykey.pgp');

$dbh = new PDO($connstr,$username,$password);

if( ! $stmt = $dbh->prepare('INSERT INTO mytable (pgpkey) VALUES (?)') ) {
    die($dbh->errorInfo());
}
if( ! $stmt->execute(array($pgp)) ) {
    die($stmt->errorInfo();
}
echo 'great success.'

也就是说， key 中不包含单引号，因此您不必担心转义它，只要您验证了输入。正如 @mike-brant 在评论中所说:

Have you considered actually validating the PGP cert that is provided? By doing this, you not only ensure that you have a safe string for insertion, but also a valid key.