HTML在存储或显示时对用户输入进行编码 [英] HTML encode user input when storing or when displaying

问题描述

我应该立即对用户输入进行编码并将编码的内容存储在数据库中，或者我应该将原始值和HTML编码显示？

存储编码数据大大降低了开发人员在显示时忘记编码数据的风险。但是，存储编码数据将使数据收集变得更加麻烦，并且会占用更多的空间，即使这通常不是问题。

解决方案 / div>

我强烈建议在出路上编码信息。如果您希望改变在某个特定点上查看原始数据的方式，将原始数据存储在数据库中非常有用。流程应该类似于：

 清理用户输入 - >防止sql注入 - > db  - >编码显示
  

考虑一种情况，您可能希望将信息显示为RSS提要。在重新显示之前必须重做任何HTML特定编码似乎有点愚蠢。任何开发应始终遵循不信任输入模式，无论该输入是来自用户还是来自数据库。

Simple question that keeps bugging me.

Should I HTML encode user input right away and store the encoded contents in the database, or should I store the raw values and HTML encode when displaying?

Storing encoded data greatly reduces the risk of a developer forgetting to encode the data when it's being displayed. However, storing the encoded data will make datamining somewhat more cumbersome and it will take up a bit more space, even though that's usually a non-issue.

解决方案

i'd strongly suggest encoding information on the way out. storing raw data in the database is useful if you wish to change the way it's viewed at a certain point. the flow should be something similar to:

sanitize user input -> protect against sql injection -> db -> encode for display

think about a situation where you might want to display the information as an RSS feed instead. having to redo any HTML specific encoding before you re-display seems a bit silly. any development should always follow the "don't trust input" meme, whether that input is from a user or from the database.

这篇关于HTML在存储或显示时对用户输入进行编码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！