I'm starting studying PHP 5 (I always used PHP 4) and for this, I'm building a small (really easy) CMS. I saw in the manual that they added functions to filter vars. My CMS must handle some HTML content for the content of pages. Are these functions (filter_input, filter_var, ecc..) with sanitize filters enough? Or do I need to build a deeper custom function?
1条回答 默认 最新
douqiang7462 2013-12-13 18:00关注Yes, it's almost always enough to use them. However, depending on each query you do or each page content you show, keep in mind that not-so-special characters can also cause surprises. Briefly,
- If you insert into mysql, quote everything and don't let strings contain unhandled quotes. Use mysql_real_escape_string and his friends.
- If you write into a file, you're safe - mind only what you read back.
- If you put default values in input fields, watch out for the same quote that you use around the "value" property. Malicious strings will try to close quotes.
- If you output HTML, use html_special_chars to avoid surprises. Greater-sign and ampersand are your enemies if you don't handle them.
Sanitizers will do the rest for you (filtering low characters, etc).
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 回答 1 已采纳 Yes, it's almost always enough to use them. However, depending on each query you do or each page c
- 2011-02-23 05:41回答 5 已采纳 An important rule to live by is FIEO. Filter Input Escape Output. ANY information that you take a
- 2010-02-25 20:10回答 3 已采纳 filter_var() is a good start. If you are planning on using these inputs in any type of SQL stateme
- 2021-04-09 10:49柳叶锈刀的博客 thinkphp6 输入变量过滤官方文档地址:变量过滤框架默认没有设置任何全局过滤规则,你可以在app\Request对象中设置filter全局过滤属性:namespace app;class Request extends \think\Request{protected $filter = ['...
- 2012-01-10 15:42回答 2 已采纳 node-validator is the perfect library for this, it has many functions for both validation and sani
- 2018-05-19 22:51回答 1 已采纳 You will have to search for cities and add category property to the data you are sending to your a
- 2014-04-11 16:13回答 2 已采纳 Since you only check the values, it is not strictly necessary in the sample code you gave. HOWEVER
- 2016-12-27 15:40loophome的博客 一、什么是XSS攻击 XSS攻击是指恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的...<?php $slogan_type = isset($_GET['slogan_type']) ? $_GET['slogan_type'] : 'default'; ?>
- 2014-07-31 23:13回答 1 已采纳 I set up this example with the filter_startsWith option set to true and it appears to work when I
- 2011-08-30 12:11回答 2 已采纳 include 'mysql_connect.php'; if(isset($_POST['submit'])){ if($_POST['inputEmail'] == ''){
- 2015-06-30 14:06回答 1 已采纳 For this kind of functionality look into AngularJS.
- 2019-03-03 21:18默先森-Jan的博客 在防止被注入攻击时,常会用到两个函数:htmlspecialchars()和addslashes()函数。这两个函数都是对特殊字符进行转义。...这是我们可对读取出来的数据使用htmlspecialchars()进行过滤,避免执行被注入的脚本。
- 2022-03-27 10:53回答 3 已采纳 1 设置同name表格,就可以保存为数组。如: <input type=text name=s value=1> <input type=text name=s value=2>
- 2021-03-25 10:14三符的博客 21M语言:中文 评分:7.5标签:立即下载PHP输入和输出流是通过php://来访问的,它允许访问 PHP 的输入输出流、标准输入输出和错误描述符, 内存中、磁盘备份的临时文件流以及可以操作其他读取写入文件资源的过滤器。...
- 2023-06-12 06:41士别三日wyx的博客 PHP://filter协议 PHP filter 过滤器
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
- ¥15 目前主流的音乐软件,像网易云音乐,QQ音乐他们的前端和后台部分是用的什么技术实现的?求解!
- ¥60 pb数据库修改与连接
- ¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗?
- ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
- ¥20 神经网络Sequential name=sequential, built=False
- ¥16 Qphython 用xlrd读取excel报错
- ¥15 单片机学习顺序问题!!
- ¥15 ikuai客户端多拨vpn,重启总是有个别重拨不上
- ¥20 关于#anlogic#sdram#的问题,如何解决?(关键词-performance)