这是安全/强大的输入清理功能吗? [英] Is this a safe/strong input sanitization function?

问题描述

这是我最近从一本书中学到的消毒功能-

This is the sanitization function used in a book I recently learned from - Sams Teach Yourself Ajax, JavaScript, and PHP All in One.

我一直在自己的PHP网站上使用它.在现实世界中使用安全吗?

I've been using it on my own PHP site. Is it safe for real-world usage?

function sanitizestring($var)
{
  $var = strip_tags($var);
  $var = htmlentities($var);
  $var = stripslashes($var);
  return mysql_real_escape_string($var);
}

推荐答案

我会说这太笼统了. 可能在许多用途上都是安全的，但通常会给字符串带来不必要的副作用.并非每个字符串都应该这样转义.

I would say that is too general. It may be safe for a lot of uses, but it would often give unwanted side affects to strings. Not every string should be escaped like that.

• mysql_real_escape_string()仅应在SQL查询中使用.更好的是，将参数与PDO绑定.
• 为什么要在插入数据库之前覆盖条带标签并编码实体?也许是在出门的时候做.
• 对于XSS预防，htmlspecialchars()是您的更多朋友.给它一个字符集作为参数.

• mysql_real_escape_string() should be used within SQL queries only. Better still, bind params with PDO.
• Why would you want to blanket strip tags and encode entities before inserting into a database? Maybe do it on the way out.
• For XSS prevention, htmlspecialchars() is more of your friend. Give it the character set as an argument.

因此，我将使用mysql_real_escape_string()进行查询，并使用htmlspecialchars()来回显用户提交的字符串.还有很多要知道的.进行一些进一步阅读.

So I would use mysql_real_escape_string() for queries, and htmlspecialchars() for echoing user submitted strings. There is also a lot more to know. Do some further reading.

这篇关于这是安全/强大的输入清理功能吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！