在将用户输入存储到数据库之前对其进行转义/编码，还是将其按原样存储在数据库中并在检索时进行转义，这样更好? [英] is it better to escape/encode the user input before storing it to database or to store it as it is in database and escape it while retrieving?

问题描述

我正在使用htmlspecialchars()功能来防止XSS攻击.我不知道从下面开始有什么更好的方法将数据存储到数据库中.

I am using htmlspecialchars() function to prevent XSS attacks. I have doubt regarding what is the better method to store the data in database from following.

方法1::应用htmlspecialchars()功能后，存储用户输入的值.使用它，用户输入"<script>"将变为& ltscript& gt;"

Method 1 : Store the user input values after applying htmlspecialchars() function. Using this it user input "<script>" will become "<script>" .

方法2::按原样存储用户输入，并在检索数据并将其显示在页面上时应用htmlspecialchars()方法.

Method 2 : Store the user input as it is and apply htmlspecialchars() method while retrieving the data and displaying it on the page.

我怀疑的原因是，我相信使用方法1会导致数据库开销，而使用方法2时，需要通过php请求一次又一次地转换数据.所以我不确定哪个更好.

The reason for my doubt is that I believe using method 1 there will be overhead on database, while using method 2 data need to be converted again and again when requested through php. So I am not sure which one is better.

有关更多信息，我正在使用htmlspecialchars($val, ENT_QUOTES, "UTF-8")，以便也可以转换'和'.

For more information, I am using htmlspecialchars($val, ENT_QUOTES, "UTF-8") so that will convert ' and " as well.

请帮助我清除我的疑问.如果可能，还提供解释.

Please help me clear my doubt. Also provide explanation if possible.

谢谢.

推荐答案

一个更好的 原因是，在将其截断以适合某个空间时，您会被诸如"&quo..."的可憎之物卡住.抵制尝试摆弄数据的诱惑超过最低要求.如果您担心要重新处理数据，请对其进行缓存.

An even better reason is that on truncating to fit a certain space you'll get stuck with abominations such as "&quo...". Resist the temptation to fiddle with your data more than the minimum required. If you're worried about reprocessing the data, cache it.

这篇关于在将用户输入存储到数据库之前对其进行转义/编码，还是将其按原样存储在数据库中并在检索时进行转义，这样更好?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！