使用htmlspecialchars()进行输入/输出的HTML清理,对于MySQL数据库的坏设计? [英] Is using htmlspecialchars() for input/output HTML sanitization, for MySQL database bad design?
问题描述
可能重复:
最好的PHP输入清理功能是什么?
在输入/输出HTML清理时使用htmlspecialchars()来处理MySQL数据库的错误设计?
Is using htmlspecialchars() for input/output HTML sanitization, for MySQL database bad design?
它仍然会显示b标签,i标签和其他人?
Should you instead just not allow these "dangerous" signs because it still will show b-tags,i-tags and others? And how to do so?
我问的是因为它在wiki上说了 http://en.wikipedia.org/wiki/HTML_sanitization
I'm asking because it says on wiki http://en.wikipedia.org/wiki/HTML_sanitization
HTML清理可用于防止跨站点脚本
"HTML sanitization can be used to protect against cross-site scripting and SQL injection attacks by sanitizing any HTML code submitted by a user."
除了使用PDO准备的语句,为了防止SQL注入,我想使用这个htmlspecialchars所有输入和输出。
So besides using PDO prepared statements, to prevent SQL-injections, i want to use this htmlspecialchars for all input and output. But maybe I should use something else?
这是一个很好的方法来执行一个insert语句实例?:
Is this a good way to do an insert statement for instance?:
$type= htmlspecialchars($_POST['animaltype']);
$name= htmlspecialchars($_POST['animalname']);
$age= htmlspecialchars($_POST['animalage']);
$descr= htmlspecialchars($_POST['animaldescription']);
$foto= htmlspecialchars($_POST['animalfotourl']);
$date=htmlspecialchars($_POST['animalhomelessdate']);
$sqlquery = "INSERT INTO animals_tbl(animaltype, animalname, animalage, animaldescription, animalfotourl, animalhomelesssince) VALUES (':type',':name',':age',':descr', ':foto', ':date')";
$stmt = $conn->prepare($sqlquery);
$stmt->bindParam(':type',$type, PDO::PARAM_STR);
$stmt->bindParam(':name',$name, PDO::PARAM_STR);
$stmt->bindParam(':age',$age, PDO::PARAM_INT);
$stmt->bindParam(':descr',$descr, PDO::PARAM_STR);
$stmt->bindParam(':foto',$foto, PDO::PARAM_STR);
$stmt->bindParam(':date',$date, PDO::PARAM_STR);
$stmt->execute();
推荐答案
htmlspecialchars code>足以为浏览器转义文本。这将保护其他网站用户免受XSS攻击。
htmlspecialchars()
is sufficient to escape text for browsers. This will protect other site users from XSS attacks.
但是, 。将转义内容存储在数据库中似乎对我来说设计不佳。数据库应存储实际内容,而不是灰色内容。
However, I would only run this function when displaying data. Storing escaped content in a database seems like poor design to me. The database should store actual content, not munged content. Escape things as necessary at each layer, and no sooner.
为了说明为什么这是一个坏主意,考虑一个web网站正在努力实现一个JSON驱动的API。如果他们在数据库中存储HTML编码的数据,他们有两个选择:(a)在JSON响应中有HTML编码的数据(这没有意义),或者(b)在JSON之前将HTML解码回原来的形式 - 编码。这两种选择都是次优的。
To illustrate why this is a bad idea, consider a web site that is working on implementing a JSON-driven API. If they are storing HTML-encoded data in their database, they have two choices: (a) have HTML-encoded data in their JSON responses (which makes no sense), or (b) decode the HTML back to its original form before JSON-encoding it. Both choices are sub-optimal.
数据进入数据库,JSON字符串存入JSON文档,HTML编码数据存入HTML文档。不要混用!
Data goes in the database, JSON strings go in JSON documents, and HTML-encoded data goes in HTML documents. Don't mix them!
这篇关于使用htmlspecialchars()进行输入/输出的HTML清理,对于MySQL数据库的坏设计?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!