将字符串编码转换为 UTF-8
我正在构建自己的 PHP 框架,并且我希望在每个请求上将每个 get 和 post 变量转换为 utf8 (我在当前项目中的任何地方都不使用其他编码)以防止我的项目遭受“无效编码攻击”或二进制攻击。我在 php.net 中找到了 utf8_encode,但它说仅将 ISO-8859-1 转换为 UTF8。我想知道将所有内容都转换为 utf8 是否有什么大不了的,或者这与安全性没有任何共同点(我想尽可能减少安全漏洞)。
I am building my own PHP framework, and I want on each request to convert each get and post variable to utf8 (I don't use other encodings anywhere in my current project) to prevent my projects from "Invalid Encoding Attack" or binary atack. I found utf8_encode in php.net, but it says that converts ISO-8859-1 to UTF8 only. I want to know is it a big deal to cast everything to utf8, or this cannot do anything in common with security (I want to decrease the security holes as much as possible).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
如果您的目标是保护自己免受无效编码攻击,那么您应该
在使用 GET/POST 值之前使用它们。
但是您不需要转换任何内容 - 例如使用 mb_convert_encoding():如果您使用适当的 Content-Type 和
标签,指定您的页面采用 UTF-8,则保证普通用户只会向您发送 UTF-8。If your goal is to protect yourself from invalid encoding attacks, then you should use
on your GET/POST values before using them.
But you don't need to convert anything - e.g. using mb_convert_encoding(): if you use the appropriate Content-Type and <meta> tag, specifying your page is in UTF-8, you are guaranteed that normal users will send you only UTF-8.
@nikolay,
mb_convert_encoding()是你的朋友。看看这里。另外,如果您将所有网页的编码设置为UTF-8,则无需手动转换。将其添加到每个页面的
head部分:@nikolay,
mb_convert_encoding()is your friend. Have a look here.Additionally, if you set the encoding of all web-pages to UTF-8, there's no need to convert manually. Add this to each page's
headsection:图标> http://php.net/manual/en/book.iconv.php
iconv > http://php.net/manual/en/book.iconv.php