在数据库插入之前在输入上输入PHP htmlentities(),而不是在输出上输入 [英] PHP htmlentities() on input before DB insert, instead of on output
问题描述
我想知道执行以下过程是否有任何弊端或不良做法:
I wonder if there's any downside or bad practice in doing the following procedure:
- $ user_input-> htmlentities($ user_input)-> mysql_escape($ user_input)->将$ user_input插入数据库
- 从数据库中选择$ user_input-> echo $ user_input
而不是执行以下操作:
- $ user_input-> mysql_escape($ user_input)->将$ user_input插入数据库
- 从数据库中选择$ user_input-> echo htmlentities($ user_input)
当我们在许多地方显示相同的$ user_input时,感觉在输入上执行效率更高,因此这样做有没有缺点/不好的做法/可利用性?
As we display the same $user_input on a lot of places it feels more efficient do to it on the input instead, are there any downsides / bad practice / exploit-ability in doing it this way?
干杯!
很好的回答了以下问题:
@Matt:通常,为了使内容可读性和可维护性,请尝试将其存储为尽可能靠近原始的,未经过滤的内容.这取决于两件事: 还有其他人/程序要引用此数据吗? 数据是否需要易于编辑?
@Matt: In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible. It depends on two things: Is any other person/program going to reference this data? Does the data need to be easily editable?
@Sjoerd:如果您想将数据显示为HTML以外的其他内容,例如, CSV下载,PDF等.
@Sjoerd: There is a downside if you want to display the data as something else than HTML, e.g. a CSV download, PDF, etc.
推荐答案
这取决于两件事:
- 还有其他人/程序要引用此数据吗?
- 数据是否需要易于编辑?
方法1的优点是,如果数据在一个地方中使用,并且每次都会调用htmlentities(),那么您将保存此步骤.
The advantage of method one is that, in the case that the data is used in one place, and htmlentities() would be called every time, you'd be saving this step.
但是,只有在HTML数据非常大的情况下,这才会带来显着的改进.通常,为了使内容可读性和可维护性,请尝试将其存储在尽可能靠近原始未经过滤的内容的位置.
However, this would only leave a notable improvement if the HTML data is very large. In general, to keep things readable and maintainable, try to store it as close to the original, unfiltered content as possible.
实际上,您可能会发现HTML仍然是错误的存储方式.最好存储 Markdown 之类的东西,然后在查看时将其转换为HTML.
In fact, you might find that HTML is the wrong thing to store anyway. It might be better to store something like Markdown and simply convert it to HTML when viewed.
这篇关于在数据库插入之前在输入上输入PHP htmlentities(),而不是在输出上输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
