使用htmlspecialchars（）进行输入/输出的HTML清理，对于MySQL数据库的坏设计？ [英] Is using htmlspecialchars() for input/output HTML sanitization, for MySQL database bad design?

问题描述

可能重复：

最好的PHP输入清理功能是什么？

在输入/输出HTML清理时使用htmlspecialchars（）来处理MySQL数据库的错误设计？

Is using htmlspecialchars() for input/output HTML sanitization, for MySQL database bad design?

它仍然会显示b标签，i标签和其他人？

Should you instead just not allow these "dangerous" signs because it still will show b-tags,i-tags and others? And how to do so?

我问的是因为它在wiki上说了 http://en.wikipedia.org/wiki/HTML_sanitization

I'm asking because it says on wiki http://en.wikipedia.org/wiki/HTML_sanitization

HTML清理可用于防止跨站点脚本

"HTML sanitization can be used to protect against cross-site scripting and SQL injection attacks by sanitizing any HTML code submitted by a user."

除了使用PDO准备的语句，为了防止SQL注入，我想使用这个htmlspecialchars所有输入和输出。

So besides using PDO prepared statements, to prevent SQL-injections, i want to use this htmlspecialchars for all input and output. But maybe I should use something else?

这是一个很好的方法来执行一个insert语句实例？：

Is this a good way to do an insert statement for instance?:

$type= htmlspecialchars($_POST['animaltype']);
$name= htmlspecialchars($_POST['animalname']);
$age= htmlspecialchars($_POST['animalage']);        
$descr= htmlspecialchars($_POST['animaldescription']);
$foto= htmlspecialchars($_POST['animalfotourl']);
$date=htmlspecialchars($_POST['animalhomelessdate']);



$sqlquery  = "INSERT INTO animals_tbl(animaltype, animalname, animalage, animaldescription, animalfotourl, animalhomelesssince) VALUES (':type',':name',':age',':descr', ':foto', ':date')";


$stmt = $conn->prepare($sqlquery);
$stmt->bindParam(':type',$type, PDO::PARAM_STR);
$stmt->bindParam(':name',$name, PDO::PARAM_STR);
$stmt->bindParam(':age',$age, PDO::PARAM_INT);
$stmt->bindParam(':descr',$descr, PDO::PARAM_STR);
$stmt->bindParam(':foto',$foto, PDO::PARAM_STR);
$stmt->bindParam(':date',$date, PDO::PARAM_STR);

$stmt->execute();

推荐答案

htmlspecialchars code>足以为浏览器转义文本。这将保护其他网站用户免受XSS攻击。

htmlspecialchars() is sufficient to escape text for browsers. This will protect other site users from XSS attacks.

但是， 。将转义内容存储在数据库中似乎对我来说设计不佳。数据库应存储实际内容，而不是灰色内容。

However, I would only run this function when displaying data. Storing escaped content in a database seems like poor design to me. The database should store actual content, not munged content. Escape things as necessary at each layer, and no sooner.

为了说明为什么这是一个坏主意，考虑一个web网站正在努力实现一个JSON驱动的API。如果他们在数据库中存储HTML编码的数据，他们有两个选择：（a）在JSON响应中有HTML编码的数据（这没有意义），或者（b）在JSON之前将HTML解码回原来的形式 - 编码。这两种选择都是次优的。

To illustrate why this is a bad idea, consider a web site that is working on implementing a JSON-driven API. If they are storing HTML-encoded data in their database, they have two choices: (a) have HTML-encoded data in their JSON responses (which makes no sense), or (b) decode the HTML back to its original form before JSON-encoding it. Both choices are sub-optimal.

数据进入数据库，JSON字符串存入JSON文档，HTML编码数据存入HTML文档。不要混用！

Data goes in the database, JSON strings go in JSON documents, and HTML-encoded data goes in HTML documents. Don't mix them!

这篇关于使用htmlspecialchars（）进行输入/输出的HTML清理，对于MySQL数据库的坏设计？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！