通过PHP安全输入 [英] Input secure by PHP
问题描述
我不确定,如何真正使用字符串进行安全输入.
I'm not sure , how I can really make a safe inputs with strings.
例如,我得到了:
$id = intval($_POST['id']);
$name = $_POST['name'];
$sql->query("UPDATE customers SET name = " . $sql->escape_string($name) . " WHERE id = {$id}");
我确定$name的安全性不够.如何保护它以防止XSS漏洞?
I'm sure that $name isn't secured enough. How can I secure it, to prevent from XSS vulnerability?
亲切的问候, 气旋.
推荐答案
XSS保护应该在输出端而不是您的存储介质(数据库)上进行.数据库不知道数据的显示位置.如果要存储的数据是文本(如本例中的$name),则应将其存储为文本而不是HTML.
XSS protection should be done on the output side, not your storage medium (the database). The database does not know where the data is displayed at. If the data to be stored is text (as in this case with $name), you should store it as text and not HTML.
如果您真的想摆脱可能的HTML标记,请使用$name = strip_tags($_POST['name']),但是防止XSS漏洞的正确方法是在输出端使用htmlspecialchars(或htmlentities)将其转义.
If you really want to get rid of possible HTML tags, use $name = strip_tags($_POST['name']), but the correct way to prevent XSS vulns is escaping it on the output side with htmlspecialchars (or htmlentities).
如果要使用PHP过滤器功能,下面是一个删除HTML标签的示例:
If you want to use the PHP filter functions, here is an example that removes HTML tags:
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
PHP文档:
- filter_input function
- Sanitize filters
这篇关于通过PHP安全输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
