dqoag62688 2015-12-14 00:58
浏览 32
已采纳

Superglobals和htmlentities

I was reading about Superglobals and security. As a “rule”, I use htmlentities() for all the inputs and similar and for 

$_SERVER['HTTP_REFERER']; 
$_SERVER["REQUEST_METHOD"];
$_POST['thename'];
$_GET['thename'];

But since I am a novice I don´t know if I have to use it with some or all the other superglobals. I don´t know about security and maybe, someone can do “something” to put (or change) malicious code.

Do I have to use it just for those ones? Or are others to consider?

Thanks a lot.

I´m asking to learn in the good way.

  • 写回答

1条回答 默认 最新

  • dongshanfan1941 2015-12-14 01:57
    关注

    Don't use htmlentities(), use htmlspecialchars().

    And use that function whenever you have some plain text that should be inserted into HTML. This is without exception - always do it. It has nothing to do with security in the first place, it is simply the way to achieve correct text output.

    Other functions you should be using: urlencode() or rawurlencode().

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 前端echarts坐标轴问题
  • ¥15 CMFCPropertyPage
  • ¥15 ad5933的I2C
  • ¥15 请问RTX4060的笔记本电脑可以训练yolov5模型吗?
  • ¥15 数学建模求思路及代码
  • ¥50 silvaco GaN HEMT有栅极场板的击穿电压仿真问题
  • ¥15 谁会P4语言啊,我想请教一下
  • ¥15 这个怎么改成直流激励源给加热电阻提供5a电流呀
  • ¥50 求解vmware的网络模式问题 别拿AI回答
  • ¥24 EFS加密后,在同一台电脑解密出错,证书界面找不到对应指纹的证书,未备份证书,求在原电脑解密的方法,可行即采纳