在PDO中使用htmlspecialchars函数准备并执行 [英] Using htmlspecialchars function with PDO prepare and execute

问题描述

使用PHP CDO使用htmlspecialchars()函数在表单验证和数据库查询中将特殊字符转换为HTML实体真的必要吗?

Is converting special characters to HTML entities in form validation and database query using PHP PDO using htmlspecialchars() function really necessary?

例如，我有一个具有简单登录系统的网站，大致类似:

For example, I have a website with simple login system more or less like:

$username = (string) htmlspecialchars($_POST['user']);
$password = (string) htmlspecialchars($_POST['pass']);

$query = $dbh->prepare("select id where username = ? and password = ?")
$query->execute($username, $password);

请注意，除了要考虑的功能之外，我还使用类型转换.因此，是否有必要?或者我可以安全地使用$username = $_POST['user'];吗?

Note that I also use type casting besides the function in question.. So, is it necessary? Or I can safely use $username = $_POST['user']; ?

推荐答案

您的困惑非常普遍，因为书籍和互联网(包括php.net)中的信息和示例具有误导性或含糊性.开发Web应用程序时，您可以了解的最重要的信息是

Your confusion is quite common because information and examples in books and on the internet including php.net are misleading or ambiguous. The most important thing you can learn when developing web apps is filter input, escape output.

过滤器输入 这意味着对于任何数据输入(无论是用户在表单上提供还是从其他来源的文件提供)，请过滤掉不属于任何内容的任何内容.例如，如果希望使用数字值，请过滤掉所有非数字字符.另一个示例是限制/确保最大数据长度.但是，您不必为此而疯狂.例如，如果您希望一行文本中可以包含任何字符组合，那么尝试使用过滤器可能只会使您的用户感到沮丧.

Filter Input This means that for any data input whether provided by a user on a form or provided by a file from some other source, filter out anything which does not belong. An example would be that if you expect a numeric value, filter out any non-numeric characters. Another example would be limit/ensure the maximum length of data. However, you don't need to get to crazy with this. For example, if you expect a line of text that can contain literally any combination of characters, then trying to come up with a filter will probably only frustrate your users.

因此，通常您会事先将输入数据存储在数据库中，并事先进行可选的过滤.

So, you generally would store input data in your database as provided with optionally some filtering before hand.

转义输出 转义输出的意思是适当地保护给定媒体的数据.大多数情况下，此媒体是网页(html).但是，它也可以是纯文本，xml，pdf，图像等.对于html，这意味着使用htmlspecialchars()或htmlentities()(您可以阅读

Escape Output What is meant by escape output is to properly make safe the data for a given media. Most of the time, this media is a web page (html). But, it can also be plain text, xml, pdf, image, etc. For html, this means using htmlspecialchars() or htmlentities() (you can read up on the differences here). For other media types, you would escape/convert as appropriate (or not at all if appropriate).

现在，您的问题是是否应该在将用作sql查询参数的输入数据上使用htmlspecialchars().答案是不.您不应以任何方式修改数据.

Now, your question is whether or not you should use htmlspecialchars() on input data that will be used as sql query parameters. The answer is no. You should not modify the data in any way.

是的，应该将$ _POST中包含的数据视为危险.这就是为什么您应该1)防止在执行操作时使用准备好的语句和绑定参数进行sql注入，以及2)如果将其放置在html中，则可以正确地转义/转换在$ _POST中找到的数据.

Yes, the data contained in $_POST should be considered dangerous. Which is why you should 1) guard against sql injection using prepared statements and bound parameters as you are doing and 2) properly escape/convert data found in $_POST if you place it in html.

有许多PHP框架可为您处理这些详细信息，我建议您选择并使用一个.但是，如果没有，您仍然可以构建安全的应用程序.无论您是否使用框架，我强烈都建议您阅读 OWASP .否则，只会导致Web应用程序的安全噩梦.

There are many frameworks for PHP which handle these details for you and I recommend you pick and use one. However, if you do not, you can still build a safe and secure application. Whether you use a framework or not, I strongly suggest that you read the recommendations suggested by OWASP. Failure to do so will only result in a security nightmare for your web application.

这篇关于在PDO中使用htmlspecialchars函数准备并执行的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！