过滤用户输入 [英] Filtering User Input
问题描述
我在这里阅读了很多关于过滤用户输入的问答,但大多数时候答案是,这取决于你在做什么。以下是我正在做的事:
通过将在MySQL查询中使用的表单提交的数据:
<$ ($ field,$ link)
{
return mysql_real_escape_string($ field,$ link); pre $
}
通过表单提交的数据将显示在HTML / PHP页面或在一封电子邮件中:
function output_html($ value)
{
return stripslashes(htmlspecialchars($值));
$ / code> 数据库显示的数据:
函数output_db($ value)
{
return stripslashes($ value);
}
这足以满足我的需求吗?有没有我不考虑的东西?
谢谢!
使用 mysql_real_escape_string()将字符串插入到SQL查询中时,无论输入来自哪里。
code> htmlspecialchars()或 htmlentities()将字符串插入HTML代码时,无论输入来自哪里。
使用 urlencode()将值插入URL的查询字符串时,无论值来自哪里。
如果这些数据来自用户,那么您肯定应该做这些事情,因为有可能用户尝试做坏事。但除了安全性 - 如果你想插入一个合法的字符串到一个SQL查询和字符串恰好有一个单引号字符呢?你仍然必须逃避它。
I've read quite a few q&a's on filtering user input here, but most of the time the answer is that it depends on what you're doing. Here's what I'm doing:
Data submitted via a form that will be used in a MySQL query:
function clean($field, $link)
{
return mysql_real_escape_string($field, $link);
}
Data submitted via a form that will be displayed back on the HTML/PHP page or in an email:
function output_html($value)
{
return stripslashes(htmlspecialchars($value));
}
Data displayed from database:
function output_db($value)
{
return stripslashes($value);
}
Is this sufficient for my needs? Is there something I'm not considering?
Thanks!
Use mysql_real_escape_string() when inserting strings into SQL queries, no matter where the input comes from.
Use htmlspecialchars() or htmlentities() when inserting strings into HTML code, no matter where the input comes from.
Use urlencode() when inserting values into the query string of a URL, no matter where the values come from.
If this data comes from the user, then you should definitely do these things because there is the chance that the user is trying to do bad things. But security aside--what if you want to insert a legitimate string into a SQL query and the string just happens to have a single quote character in it? You still must escape it.
这篇关于过滤用户输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
