Codeigniter如何处理转义的输出? [英] How does Codeigniter handle escaping output?
问题描述
我使用CodeIgniter。
最近,我阅读了一本PHP书,并看到一些函数使用
将数据输出到服务器到数据库: * _ escape_string()
p>
htmlentities()
htmlspecialchars()
在我的Codeigniter应用程序中,如何处理这些函数?
在Ccodeigniter表单验证中,我看到了 xss_clean
$ this-> form_validation-> set_rules('password','Password','required | xss_clean | min_length [6] | matches [confirmpassword]');
是 xss_clean ,用于防止跨站脚本,
如果你使用的是Active Record类,你一般都不需要这么做, t需要转义您发送到数据库的任何内容 - 它会自动完成:
http://codeigniter.com/user_guide/database/active_record.html
它还允许更安全的查询,因为系统会自动转义这些值。
手动转义似乎已成为过去,因为大多数人现在使用 PDO 进行数据库交互,使用带有占位符的参数化查询,而不是将SQL字符串混合在一起。 CI仍然在内部使用 mysql _ * 函数。
CI xss_clean code>,在我看来,更多的失败保护我们的那些谁不知道如何和何时正确转义数据。您通常不需要它。这是批评的目标,因为它是缓慢,积极的方法来消毒数据,以及只是不够好。
对于转义HTML输出,大多数情况下 htmlspecialchars()是所有你需要的,但你可以随时使用 xss_clean()函数。我不建议使用它作为表单验证规则,因为它会损坏您的输入,插入 [已删除] ,只要它在原始字符串中发现了naughty。
摘要:
-
数据库:CI将(通常)转义传递给Active Record类的字符串。
有关详细信息,请参阅用户指南: http://codeigniter.com/user_guide/database/queries.html -
HTML output :您需要使用
htmlspecialchars()或使用CI的html_escape()函数(从2.1.0开始)。 -
<$ c $
c> xss_clean() - 如果你知道你在做什么,你不应该需要它。在输出上使用比输入更好。
I am using CodeIgniter.
Recently, I read a PHP book and saw some functions to escape output to server to database using
*_escape_string()
and from server to browser using:
htmlentities()
htmlspecialchars()
In my Codeigniter application, how are these functions handled? Is it internally handled by the framework, or do I have to manually handle it?
In Ccodeigniter form validation I have seen xss_clean
$this->form_validation->set_rules('password', 'Password', 'required|xss_clean|min_length[6]|matches[confirmpassword]' );
Is xss_clean for preventing cross site scripting, or does it deal with the above I have mentioned?
If you're using the Active Record class, you generally don't need to escape anything you send to your database - it's done automatically:
http://codeigniter.com/user_guide/database/active_record.html
"It also allows for safer queries, since the values are escaped automatically by the system."
Manual escaping seems to be becoming a thing of the past, as most people are using PDO now for database interactions, using paramterized queries with placeholders instead of mashing SQL strings together. CI still uses the mysql_* functions internally though.
CI's xss_clean() is, in my opinion, more of a failsafe for those of us who don't know how and when to escape data properly. You normally don't need it. It's been the target of criticism both for it's slow, aggressive approach to sanitizing data, as well as for just "not being good enough".
For escaping HTML output, in most cases htmlspecialchars() is all you need, but you can use the xss_clean() function any time. I don't suggest using it as a form validation rule because it will corrupt your input, inserting [removed] wherever it found something "naughty" in the original string. Instead, you can just call it manually to clean your output.
Summary:
Database: CI will (usually) escape the strings you pass to the Active Record class.
See the user guide for details: http://codeigniter.com/user_guide/database/queries.htmlHTML output: You need to escape HTML output yourself with
htmlspecialchars()or use CI'shtml_escape()function (as of 2.1.0). This is not done automatically because there's no way to know the context in which you are using the data.xss_clean()- If you know what you're doing, you shouldn't need it. Better to use on output than input.
这篇关于Codeigniter如何处理转义的输出?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
