PDO和清除日期/删除HTML [英] PDO & Sanitize Date/Remove HTML

问题描述

我让用户使用此代码更新其名称.

I'm letting users update their name with this code.

    $dbh = connect();
    $q = $dbh->prepare('UPDATE Users SET username=:name WHERE User_ID=:id LIMIT 1'); 
    $q->bindParam(":id", $loggedInUser->user_id, PDO::PARAM_INT);
    $q->bindParam(":name", $_GET['name'], PDO::PARAM_STR);
    $q->execute();

A)这足以清理信息吗? b)当我在其中放置HTML标记(如<b>name</b>)时，它实际上以粗体显示在我的网站上！有没有可以让PDO去除所有HTML的选项?

A) is this enough to sanitize information? b) when I put HTML tags in there like <b>name</b> it actually shows up in bold on my site! Is there an option where I can have PDO strip out all HTML?

推荐答案

看起来合理.我建议尽管使用POST而不是GET进行破坏性/操纵性操作.如果坚持POST数据，尽管它并不能完全免疫您，那么遭受CSRF攻击的可能性要小得多.

Looks reasonably sound. I would suggest using POST instead of GET for destructive / manipulative operations though. You're far less likely to suffer from CSRF attacks if you stick to POST data though it does not make you totally immune.

如果您实际上不希望用户在名称字段中输入HTML，则不必担心在进入数据库的过程中过滤数据.通过htmlspecialchars()或htmlentities()逃生.

If you do not actually want users to enter HTML into the name field, don't worry about filtering data on the way into the database. Escape it on the way out via htmlspecialchars() or htmlentities().

我一直坚持认为数据应尽可能原始地进入数据库.

I've always stood by the idea that data should go into the database as raw as possible.

几乎忘记了，请确保在尝试使用它们之前确实已存在$_GET/$_POST中的期望值，例如

Almost forgot, make sure the expected values in $_GET / $_POST actually exist before attempting to use them, eg

if (isset($_POST['name'])) {
    // now use it

这篇关于PDO和清除日期/删除HTML的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！