在准备好的语句中是否需要htmlentities()或htmlspecialchars()? [英] Do I need htmlentities() or htmlspecialchars() in prepared statements?

问题描述

在文章 http://dev.mysql.com中/tech-resources/articles/4.1/prepared-statements.html ，它表示以下内容:

In an article http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html, it says the followings:

出于 安全 和性能方面的考虑，在应用程序中使用准备好的语句有许多优点.

There are numerous advantages to using prepared statements in your applications, both for security and performance reasons.

准备好的语句可以通过将SQL逻辑与提供的数据分开来帮助提高安全性.逻辑和数据的这种分离可以帮助防止一种非常常见的漏洞，称为SQL注入攻击.

Prepared statements can help increase security by separating SQL logic from the data being supplied. This separation of logic and data can help prevent a very common type of vulnerability called an SQL injection attack.

通常，在处理临时查询时，在处理从用户那里收到的数据时需要非常小心. 这需要使用对所有必需的麻烦字符(例如单引号，双引号和反斜杠字符)进行转义的函数.

Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters.

在处理准备好的语句时是不必要的 .数据的分离使MySQL可以自动考虑这些字符，并且不需要使用任何特殊功能对其进行转义.

This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function.

这是否意味着我不需要htmlentities()或htmlspecialchars()? 但是我认为我需要在用户输入数据中添加strip_tags()吗? 我说的对吗?

Does this mean I don't need htmlentities() or htmlspecialchars()? But I assume I need to add strip_tags() to user input data? Am I right?

推荐答案

htmlentities 和 htmlspecialchars 用于生成发送到浏览器的 HTML输出.

准备好的语句用于生成查询/将查询发送到数据库引擎.

Prepared statements are used to generate/send queries to the Database engine.

都允许转义数据；但它们不会因相同的用途而逃脱.
因此，没有，准备好的语句(用于SQL查询)不会阻止您正确使用htmlspecialchars/htmlentities (用于HTML生成)

Both allow escaping of data; but they don't escape for the same usage.
So, no, prepared statements (for SQL queries) don't prevent you from properly using htmlspecialchars/htmlentities (for HTML generation)

关于strip_tags:它将删除字符串中的标签，其中htmlspecialchars会将其转换为HTML实体.
这两个函数做的不是同一件事.您应该根据自己的需求/想要获得的东西来选择使用哪个.

About strip_tags: it will remove tags from a string, where htmlspecialchars will transform them to HTML entities.
Those two functions don't do the same thing; you should choose which one to use depending on your needs / what you want to get.

例如，用这段代码:

$str = 'this is a <strong>test</strong>';
var_dump(strip_tags($str));
var_dump(htmlspecialchars($str));

您将获得这种输出:

string 'this is a test' (length=14)
string 'this is a <strong>test</strong>' (length=43)

在第一种情况下，没有标签；在第二个，正确逃脱的.

In the first case, no tag; in the second, properly escaped ones.

并且，带有HTML输出:

And, with an HTML output:

$str = 'this is a <strong>test</strong>';
echo strip_tags($str);
echo '<br />';
echo htmlspecialchars($str);

您将获得:

this is a test
this is a <strong>test</strong>

您想要哪一个? 那是重要的问题，;-)

Which one of those do you want? That is the important question ;-)

这篇关于在准备好的语句中是否需要htmlentities()或htmlspecialchars()?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！