存储或显示时对用户输入进行 HTML 编码
简单的问题一直困扰着我。
我应该立即对用户输入进行 HTML 编码并将编码后的内容存储在数据库中,还是应该在显示时存储原始值并进行 HTML 编码?
存储编码数据大大降低了开发人员在显示数据时忘记对数据进行编码的风险。 然而,存储编码数据将使数据挖掘变得更加麻烦,并且会占用更多空间,尽管这通常不是问题。
Simple question that keeps bugging me.
Should I HTML encode user input right away and store the encoded contents in the database, or should I store the raw values and HTML encode when displaying?
Storing encoded data greatly reduces the risk of a developer forgetting to encode the data when it's being displayed. However, storing the encoded data will make datamining somewhat more cumbersome and it will take up a bit more space, even though that's usually a non-issue.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我强烈建议在退出时对信息进行编码。 如果您希望更改在某个时刻查看原始数据的方式,则将原始数据存储在数据库中非常有用。 该流程应该类似于:
考虑一下您可能希望将信息显示为 RSS 提要的情况。 在重新显示之前必须重做任何 HTML 特定编码似乎有点愚蠢。 任何开发都应始终遵循“不信任输入”的模因,无论该输入来自用户还是来自数据库。
i'd strongly suggest encoding information on the way out. storing raw data in the database is useful if you wish to change the way it's viewed at a certain point. the flow should be something similar to:
think about a situation where you might want to display the information as an RSS feed instead. having to redo any HTML specific encoding before you re-display seems a bit silly. any development should always follow the "don't trust input" meme, whether that input is from a user or from the database.
请记住,您可能需要使用无法理解 HTML 编码文本的工具(例如报告工具)来访问数据库。 我同意空间不是问题,但恕我直言,将 HTML 编码放入数据库会将视图/前端的知识转移到应用程序的最低层,这是一个设计错误。
Keep in mind that you may need to access the database with something that doesn't understand HTML encoded text (e.g., a reporting tool). I agree that space is a non-issue, but IMHO, putting HTML encoding in the database moves knowledge of your view/front end into the lowest tier in the application, and that is a design mistake.
编码只能在显示器中完成。 毫无例外。
The encoding should only only only be done in the display. Without exception.
输出。
使用 HTML,您不能简单地检查字符串的长度(
&
是 1 个字符,但strlen()
会告诉你5),你可以轻松地裁剪它(它可能会破坏实体)。您可能需要将数据库中的字符串与其他来源的字符串混合,或者读取和写回它们。 在应用程序范围内执行此操作而不错过任何转义并避免双重转义是一场噩梦。
PHP 尝试用
magic_quotes
做类似的事情,但结果是一个巨大的失败。 不要走magic_entities
路线! :)Output.
With HTML you can't simply check length of a string (
&
is 1 character, butstrlen()
will tell you 5), you can easily crop it (it could break entities).You may need to mix strings from database with strings from another source, or read and write them back. Doing this application-wide without missing any escaping and avoiding double escaping is a nightmare.
PHP tried to do similar thing with
magic_quotes
and it turned out to be a huge failure. Don't takemagic_entities
route! :)