什么是“足够的消毒"?网址 [英] What is "enough sanitization" for a URL

问题描述

URL应该是

1. 保存到MySQL数据库
2. 用于在用户个人资料上显示图片

strip_tags()和mysql_real_escape_string()是否足够?

would strip_tags() and mysql_real_escape_string() be enough?

推荐答案

足够的消毒"完全取决于您所讨论的环境.应该将对MySQL的清理与对Web输出的清理完全隔离，或者将它们与Web输出的清理完全分开，并且应该将它们分开处理，以免造成很多麻烦.

"Enough sanitization" thoroughly depends on what environment you're talking about. Sanitization for MySQL should be considered entirely separate from sanitization for web output, and you should handle them separately to avoid a lot of hassle.

为MySQL消毒

• mysql_real_escape_string()将清除一段数据，并使其可以安全地放入SQL查询中.
• 任何其他类型的恶意数据，例如字符串中的HTML标记，都应绝对忽略.在这里尝试操作它会导致您头疼，因为您稍后尝试将其从数据库中取出后对其进行取消操作".错误的网络数据"不会损害您的数据库.

• mysql_real_escape_string() will sanitize a piece of data and make it safe to put inside an SQL query.
• Any other type of malicious data, such as HTML tags inside the string, should be absolutely ignored. Trying to manipulate it here will lead you to headaches as you try to "un-manipulate" it later after getting it out of the database. Bad "web data" cannot harm your database.

对输出进行消毒

在输出时
• htmlspecialchars($val)将阻止呈现任何恶意标签，因为<和>字符将转换为它们的实体表示形式，而不呈现为标签定界符.
• 如果要输出HTML元素的带引号的属性内的内容，请使用ENT_QUOTES修饰符，例如<input name="email" value="<?php echo htmlspecialchars($email,ENT_QUOTES); ?>" />

• htmlspecialchars($val) at output time will prevent any malicious tags from being rendered, because < and > characters are converted into their entity representations and not rendered as tag delimiters.
• Use the ENT_QUOTES modifier if you are outputting something that is inside an HTML element's quoted attribute, such as <input name="email" value="<?php echo htmlspecialchars($email,ENT_QUOTES); ?>" />

这应该是您所需要的，除非您有特殊要求. strip_tags()不应真正用于消毒，因为它会被格式错误的HTML所欺骗.清理是一个值得实现的目标，如果您可以将上下文分开，则它们之间的数据操作问题会更少.

That should be all you need, unless you have special requirements. strip_tags() shouldn't really be used for sanitization, as it can be fooled with badly formed HTML. Sanitization is a worthy goal, and if you can keep your contexts separate, you'll run into fewer problems with data manipulation between them.

这篇关于什么是“足够的消毒"?网址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！