doupao2277 2014-01-12 14:38
浏览 48
已采纳

这个消毒是否有任何XSS泄漏

I want to make sure my sanitize doesnt have any leaks in it. And also, im only outputting user-data within hardcoded p tags and h1 tags

eg : <p><?php echo htmlspecialchars($user_data); ?></p>

So is this a safe way to protect me against XSS-injects.

First, im using this function to sanetize the data before it gets inserted into my DB, and while in my DB im using bind_param

function sanitize($str) {
   return strtolower(strip_tags(trim(($str))));
}

sanitize($user_data); - > then gets inserted into db

Then when I grap the data from the DB I am using this to show it.

<p> <?php echo htmlspecialchars($user_data); ?> </p>

So, is this a safe way to block any XSS?

Thanks!

  • 写回答

1条回答 默认 最新

  • dongxie9448 2014-01-12 14:42
    关注

    From a security standpoint, there is no need to use your sanitize function as long as you escape / process your data correctly for the medium you are outputting to:

    • Using htmlspecialchars() is all that is needed for output to html;
    • Use json_encode if you need to output to javascript;
    • Use prepared statements with bound variables for your database;
    • etc.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 在rhel8中安装qemu-kvm时遇到“cannot initialize crypto:unable to initialize gcrypt“报错”
  • ¥15 arbotix没有/cmd_vel话题
  • ¥15 paddle库安装时报错提示需要安装common、dual等库,安装了上面的库以后还是显示报错未安装,要怎么办呀?
  • ¥20 找能定制Python脚本的
  • ¥15 odoo17的分包重新供应路线如何设置?可从销售订单中实时直接触发采购订单或相关单据
  • ¥15 用C语言怎么判断字符串的输入是否符合设定?
  • ¥15 通信专业本科生论文选这两个哪个方向好研究呀
  • ¥50 我在一个购物网站的排队系统排队,这个排队到号后重新定向到目标网站进行购物,但是有技术牛通过技术方法直接跳过排队系统进入目标网址购物,有没有什么软件或者脚本可以用
  • ¥15 ios可以实现ymodem-1k协议 1024字节传输吗?
  • ¥300 寻抓云闪付tn组成网页付款链接