htmlspecialchars()应该用于输入信息还是输出信息之前? [英] Should htmlspecialchars() be used on information on input or just before output?
问题描述
我将$ _POST信息存储在数据库中,稍后再进行查询并将此信息打印给用户。我应该在插入这个信息之前使用htmlspecialchars(),还是在我输出之前查询它之后使用htmlspecialchars()?
另外我需要用户具有使用引号的能力和其他日常特殊字符。我知道我可以使用ENT_NOQUES标志,但感觉就像我这样做会留下安全漏洞。我的网站允许Bbcode,我希望用户能够每天使用字符,而不必看到amp; lt;& lt;& gt;&。
鼓励耐心<< --- noob!
Thanks:D
在插入此信息之前,我应该使用htmlspecialchars在我输出它之前查询它之后?
在插入目标代码之前转义目标代码的数据。即在输出之前。
这意味着您将保留原始数据用于其他目的(例如输出给用户进行编辑,包括在电子邮件中,生成一个PDF,搜索等)
另外,我需要用户有能力使用引号和其他日常特殊功能字符。
我知道我可以使用ENT_NOQUES标志,但感觉就像我这样做会留下安全漏洞。 htmlspecialchars()会将输入数据中的引号转换为HTML。所以你不需要做任何特别的事情。
我的网站允许Bbcode
然后你需要有一个合适的BBCode解析器。
I take $_POST information and store it in a DB and later on query and print this information to the user. Should I use htmlspecialchars() before inserting this info or after I query it before I output it?
In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.
My site allows Bbcode and I want users to be able to use everyday characters without having to see "amp;lt;<?>&".
Patience with me <--- noob is encouraged! Thanks :D
Should I use htmlspecialchars() before inserting this info or after I query it before I output it?
Escape data for the target code just before you insert it. i.e. Just before you output it.
This means that you will keep the data in its original form for other purposes (e.g. outputting to the user for editing, including in an email, generating a PDF, searching, etc)
In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.
htmlspecialchars() will convert quotes in the inputted data into HTML. So you don't need to do anything special.
My site allows Bbcode
Then you need to have a proper BBCode parser.
这篇关于htmlspecialchars()应该用于输入信息还是输出信息之前?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
