是“过滤器输入，转义输出"吗?对PDO仍然有效 [英] Is "filter input, escape output" still valid with PDO

问题描述

我在过滤器输入，转义输出"之前已经读过这篇文章，但是当我将PDO与PHP一起使用时，真的需要过滤输入吗?我以为PDO不需要过滤输入，因为准备好的语句可以处理sql注入.我认为转义输出"仍然有效，但过滤器输入"是否仍然有效?

I've read this before "filter input, escape output" but is filtering input really needed when I use PDO with PHP? I thought with PDO I don't need to filter input because the prepared statement takes care of sql injections. I think "escape output" is still valid, but is "filter input" still valid?

推荐答案

是的，它仍然有效.

过滤不是要防止安全漏洞，而是要不要用垃圾填充数据库.如果您希望有一个日期，请确保它至少看起来像是存储日期之前的日期.

Filtering is not about preventing security vulnerabilities, it's about not populating your database with garbage. If you're expecting a date, make sure it at least looks like a date prior to storing it.

转义输出是关于防止安全漏洞(即XSS或跨站点脚本).

Escaping output is about preventing security vulnerabilities (namely XSS or Cross Site Scripting).

是的，两者都非常重要，并且与SQL注入完全无关(尽管相当多的开发人员仍然将过滤与转义SQL查询混为一谈，因此仍然容易受到漏洞的攻击)...

So yes, both are quite important and are totally unrelated to SQL Injection (although a fair number of developers still confuse filtering with escaping for SQL queries and hence can still be subject to vulnerabilities)...

这篇关于是“过滤器输入，转义输出"吗?对PDO仍然有效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！