防止XSS攻击 [英] Prevent XSS attacks

问题描述

此代码是否安全，可以防止XSS攻击?

Is this code secure to prevent XSS attacks ??

<?php
   $string = "<b>hello world!</b>";
   echo "without filtering:".$string;
   echo "<br>";
   $filtered = htmlspecialchars($string); // insert into database filtered
   echo "After filtering:".$filtered;
   echo "<br>";
   $de_filtering = htmlspecialchars_decode($filtered); //retrieve from database and display
   echo "After de-filtering:".$de_filtering;        
  ?>

推荐答案

在插入数据库时​​，不应对HTML-Specialchars进行编码，那样可以操纵数据(在编辑数据集时可能有所不同).您应该在显示它们时对其进行编码.

You should not encode HTML-Specialchars when inserting into database, that way data is manipulated (and maybe different when editing the dataset). You should rather encode them when displaying it.

但是，只要您不忘记使用Xc，htmlspecialchars()就足以阻止XSS.但是，您使用它的方式与以前一样安全.通过编码版本可以防止XSS，数据库对此并不关心.

But yes, htmlspecialchars() is enough to prevent XSS as long as you don't forget to use it. The way YOU use it however is as secure as before. XSS is prevented through the encoded version, the database does not care about it.

这篇关于防止XSS攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！