php 中的 Strip_tags 或 mysql_real_escape_string 或 add_magic_quotes [英] Strip_tags or mysql_real_escape_string or add_magic_quotes in php
问题描述
最近在看php安全,头晕,请解释清楚!
i reading about php security these days and i'm dizzy, please explain clear!
我知道我应该使用 strip_tags() 或 htmlentities() 进行 XSS 攻击.但是如果我需要一些 where html 标签,就像博客文章一样,我该怎么办!?
i know i should use strip_tags() or htmlentities() for XSS attacks. but if i need some where html tags, same as blog post, what should i do!?
但是我应该在哪里使用 mysql_real_escape_string() 和 add_magic_quotes() ?这些都一样吗?
but where should i use mysql_real_escape_string() and add_magic_quotes()?
are these same?
另一个问题是,我应该为每个 SQL 查询使用 mysql_real_escape_string() 吗?(INSERT、UPDATE、SELECT、DELETE 等)?此函数是否会对我的数据产生不良影响(例如,对具有 html 标签或 '、"" 的博客文章)?
an other question is, should i use mysql_real_escape_string() for every SQL query? (INSERT, UPDATE,SELECT, DELETE, etc.)? can this function has bad effect on my data (for example, on a blog post that has html tags or ', "")?
推荐答案
如果您需要在博客文章中使用 HTML,您应该将标签和属性列入白名单,但您不应自己尝试这样做.相反,使用 HTMLPurifier.使用 if 之前存储在数据库中,因为它很重,很慢,但很安全.
If you need to allow HTML within a blog post, you should whitelist tags and attributes, but you should not attempt this yourself. Instead, use HTMLPurifier. Use if before storing in the database as it is heavy and slow, but very safe.
根本不应该使用魔术引号.曾经.mysql_real_escape_string() 应该用于查询中提供的每个参数.这就是防止 SQL 注入所需的全部内容.当然,确保连接期望您实际发送的字符编码是先决条件.
Magic quotes should not be used at all. Ever. mysql_real_escape_string() should be used on every single argument provided in the query. It is all that is needed to prevent SQL injections. Of course, making sure the connection expects the character encoding you are actually sending is a prerequisite.
这篇关于php 中的 Strip_tags 或 mysql_real_escape_string 或 add_magic_quotes的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
