这是安全/强大的输入清理功能吗?
这是我最近学到的一本书中使用的清理函数 - Sams Teach Yourself Ajax, JavaScript和 PHP 一体化。
我一直在我自己的 PHP 网站上使用它。实际使用安全吗?
function sanitizestring($var)
{
$var = strip_tags($var);
$var = htmlentities($var);
$var = stripslashes($var);
return mysql_real_escape_string($var);
}
This is the sanitization function used in a book I recently learned from - Sams Teach Yourself Ajax, JavaScript, and PHP All in One.
I've been using it on my own PHP site. Is it safe for real-world usage?
function sanitizestring($var)
{
$var = strip_tags($var);
$var = htmlentities($var);
$var = stripslashes($var);
return mysql_real_escape_string($var);
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我想说这太笼统了。它可能对于很多用途都是安全的,但它通常会给琴弦带来不必要的副作用。并非每个字符串都应该像这样转义。
mysql_real_escape_string()只能在 SQL 查询中使用。更好的是,使用 PDO 绑定参数。htmlspecialchars()更适合您。将字符集作为参数提供给它。因此,我将使用 mysql_real_escape_string() 进行查询,并使用 htmlspecialchars() 来回显用户提交的字符串。还有很多事情需要了解。做一些进一步阅读。
I would say that is too general. It may be safe for a lot of uses, but it would often give unwanted side affects to strings. Not every string should be escaped like that.
mysql_real_escape_string()should be used within SQL queries only. Better still, bind params with PDO.htmlspecialchars()is more of your friend. Give it the character set as an argument.So I would use
mysql_real_escape_string()for queries, andhtmlspecialchars()for echoing user submitted strings. There is also a lot more to know. Do some further reading.您还可以考虑将 filter-input 与这些 过滤器应用于此范围。
You can also consider filter-input with those filters applied to this scope.