清理USER输入 [英] sanitizing USER input
问题描述
大家好,
我知道这个问题很常见,可以在google上搜索但是告诉你这个事实,google让我很困惑,因为每一篇文章都有有一个不同的故事告诉我们保护用户的输入。
i读取必须使用以下内容
filter_input
htmlspecialchars
strip_tags < br $>
mysql_real_escape_string
stripslahes
i意味着它让我很困惑..我只想创建一个来自用户的安全输入。就像一个是帖子标题,下一个是文本区域。所以当你在这个讨论论坛上发帖时就像。
我想要保证的是,一个人不能放一些假字符,比如
" dajdhasjdhasjdasjds"
我知道有一些现成的脚本可供使用,这就是wordpress使用的,但如果我可以通过本论坛专家的亲切指导自己制作一些东西会很好。
感谢和问候
hi all,
I know this question is very common, and can be searched on google but to tell you the fact, google is confusing me this, cause every next article has got a differnt story to tell about securing the input from user.
i read one must user the following
filter_input
htmlspecialchars
strip_tags
mysql_real_escape_string
stripslahes
i mean its all confusing me.. Simply i want to create a secure input from user. Like one is post title and the next is a text area. So its like when you are posting in this discussion forum.
what i want to secure is that one must not put some false characters like
"dajdhasjdhasjdasjds"
i know there are some readymade scripts available, that is what wordpress uses, but it would be good if i can make something at my own with the kind guidance of the experts around this forum.
thanks and regards
推荐答案
Heya,Realin。
当你将数据存储在数据库中,您要确保在其上运行 mysql_real_escape_string(),以便防止SQL注入。
strip_tags()删除HTML和PHP来自输入的标签。您可以选择指定允许的标记列表。这对于从您可能希望能够包含HTML的帖子中删除< script>,< style>,< meta>等标签非常有用。
htmlspecialchars()将HTML实体(例如<,>,&,"等)转换为编码如果您计划在HTML文档中输出数据,那么也很方便。
<一个对应物,& lt;,& gt;,& amp;,& quot;等。 =nofollowhref =http://php.net/filter_inputtarget =_ blank> filter_input(),目前尚未广泛支持,应该自动执行上述三个功能任何输入。非常方便。
您可能还会发现自己想要使用正则表达式,这样您不仅可以确保输入不包含您不想要的内容它,但它也包含你想要的东西。例如,如果你想要一个电话号码,你会想要确保用户没有输入任何字母。
preg_match()对此很有用,并查看此网站,了解有关正则表达式的更多信息。
Heya, Realin.
When you store data in a database, you want to make sure you run mysql_real_escape_string() on it so as to prevent SQL injection.
strip_tags() removes HTML and PHP tags from input. You can optionally specify a list of tags that are allowed. This is useful for removing <script>, <style>, <meta>, etc. tags from posts that you might otherwise want to be able to include HTML.
htmlspecialchars() turns HTML entities such as <, >, &, ", etc. into their encoded counterparts, <, >, &, ", etc. Also handy if you are planning on outputting the data in an HTML document.
filter_input(), which isn''t widely supported just yet, is supposed to automate the three aforementioned functions on any input. Very handy.
You''ll probably also find yourself wanting to use regular expressions so that not only are you ensuring that the input doesn''t contain what you don''t want it to, but that it also contains what you want it to. For example, if you want a telephone number, you''re going to want to make sure that the User didn''t input any letters.
preg_match() is useful for this, and check out this site for more information on regular expressions.
Heya,Realin。
当您将数据存储在数据库中时,您需要确保运行 on mysql_real_escape_string()以防止SQL注入。
strip_tags()从输入中删除HTML和PHP标记。您可以选择指定允许的标记列表。这对于从您可能希望能够包含HTML的帖子中删除< script>,< style>,< meta>等标签非常有用。
htmlspecialchars()将HTML实体(例如<,>,&,"等)转换为编码如果您计划在HTML文档中输出数据,那么也很方便。
<一个对应物,& lt;,& gt;,& amp;,& quot;等。 =nofollowhref =http://php.net/filter_inputtarget =_ blank> filter_input(),目前尚未广泛支持,应该自动执行上述三个功能任何输入。非常方便。
您可能还会发现自己想要使用正则表达式,这样您不仅可以确保输入不包含您不想要的内容它,但它也包含你想要的东西。例如,如果你想要一个电话号码,你会想要确保用户没有输入任何字母。
preg_match()对此很有用,并查看此网站,了解有关正则表达式的更多信息。
Heya, Realin.
When you store data in a database, you want to make sure you run mysql_real_escape_string() on it so as to prevent SQL injection.
strip_tags() removes HTML and PHP tags from input. You can optionally specify a list of tags that are allowed. This is useful for removing <script>, <style>, <meta>, etc. tags from posts that you might otherwise want to be able to include HTML.
htmlspecialchars() turns HTML entities such as <, >, &, ", etc. into their encoded counterparts, <, >, &, ", etc. Also handy if you are planning on outputting the data in an HTML document.
filter_input(), which isn''t widely supported just yet, is supposed to automate the three aforementioned functions on any input. Very handy.
You''ll probably also find yourself wanting to use regular expressions so that not only are you ensuring that the input doesn''t contain what you don''t want it to, but that it also contains what you want it to. For example, if you want a telephone number, you''re going to want to make sure that the User didn''t input any letters.
preg_match() is useful for this, and check out this site for more information on regular expressions.
感谢很多伙伴,正常表达作为失踪的东西..但我很难理解......但我正在努力......比如拿这个..
[PHP]
thanks a lot mate, regular expressionw as the thing that was missing .. its hard to understand for me though.. but i am trying .. for instance take this..
[PHP]
title = preg_replace(''|%([a-fA-F0-9] [a-fA -F0-9])|'',''---
title = preg_replace(''|%([a-fA-F0-9][a-fA-F0-9])|'', ''---
这篇关于清理USER输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
