何时清理PHP& MySQL代码是在存储在数据库中之前还是在显示时? [英] When to sanitize PHP & MySQL code before being stored in the database or when its being displayed?
问题描述
好吧,我想知道何时应该清理代码,何时将其存储在数据库中,或者何时将其显示在网页上,或者两者都显示?
Okay I was wondering when should I sanitize my code, when I add store it in the database or when I have it displayed on my web page or both?
我之所以问这个问题,是因为我在将代码存储到数据库中之前先对其进行了清理,但是从未为用户显示代码时对其进行清理.
I ask this question because I sanitize my code before it gets stored in the database but I never sanitize when its displayed for the user.
这里是一个示例,说明如何在代码存储到数据库之前对其进行清理.
Here is an example of how I sanitize my code before its stored in the database.
$title = mysqli_real_escape_string($mysqli, $purifier->purify(strip_tags($_POST['title'])));
$content = mysqli_real_escape_string($mysqli, $purifier->purify($_POST['content']));
推荐答案
在这里(可能)您谈论的是明显的威胁:
There are distinct threats you are (probably) talking about here:
- You need to sanitize data that's being inserted into the database to avoid SQL injections.
- You also need to be careful with the data that's being displayed to the user, as it might contain malicious scripts (if it's been submitted by other users). See Wikipedia's entry for cross-site scripting (aka XSS)
对数据库有害的内容不一定对用户有害(反之亦然).您必须相应地处理这两种威胁.
What's harmful to your database is not necessarily harmful to the users (and vice versa). You have to take care of both threats accordingly.
在您的示例中:
- 在
- 上使用 mysqli :: real_escape_string ()数据插入数据库(消毒)
- Use mysqli::real_escape_string() on the data being inserted into your db (sanitizing)
您可能要在插入数据之前使用净化器-只需确保在用户获得净化器时就对其进行了净化.
You probably want to use the purifier prior to data insertion - just ensure it's "purified" by the time the user gets it.
您可能需要使用条纹()从db检索到的数据,以便在magic_quotes处于打开状态
You might need to use striplashes() on data retrieved from the db to display it correctly to the user if magic_quotes are on
这篇关于何时清理PHP& MySQL代码是在存储在数据库中之前还是在显示时?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
