I'm starting studying PHP 5 (I always used PHP 4) and for this, I'm building a small (really easy) CMS. I saw in the manual that they added functions to filter vars. My CMS must handle some HTML content for the content of pages. Are these functions (filter_input, filter_var, ecc..) with sanitize filters enough? Or do I need to build a deeper custom function?
1条回答 默认 最新
- douqiang7462 2013-12-13 18:00关注
Yes, it's almost always enough to use them. However, depending on each query you do or each page content you show, keep in mind that not-so-special characters can also cause surprises. Briefly,
- If you insert into mysql, quote everything and don't let strings contain unhandled quotes. Use mysql_real_escape_string and his friends.
- If you write into a file, you're safe - mind only what you read back.
- If you put default values in input fields, watch out for the same quote that you use around the "value" property. Malicious strings will try to close quotes.
- If you output HTML, use html_special_chars to avoid surprises. Greater-sign and ampersand are your enemies if you don't handle them.
Sanitizers will do the rest for you (filtering low characters, etc).
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏 举报
悬赏问题
- ¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
- ¥15 目前主流的音乐软件,像网易云音乐,QQ音乐他们的前端和后台部分是用的什么技术实现的?求解!
- ¥60 pb数据库修改与连接
- ¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗?
- ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
- ¥20 神经网络Sequential name=sequential, built=False
- ¥16 Qphython 用xlrd读取excel报错
- ¥15 单片机学习顺序问题!!
- ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
- ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)