doupao2277 2014-01-12 14:38
浏览 48
已采纳

这个消毒是否有任何XSS泄漏

I want to make sure my sanitize doesnt have any leaks in it. And also, im only outputting user-data within hardcoded p tags and h1 tags

eg : <p><?php echo htmlspecialchars($user_data); ?></p>

So is this a safe way to protect me against XSS-injects.

First, im using this function to sanetize the data before it gets inserted into my DB, and while in my DB im using bind_param

function sanitize($str) {
   return strtolower(strip_tags(trim(($str))));
}

sanitize($user_data); - > then gets inserted into db

Then when I grap the data from the DB I am using this to show it.

<p> <?php echo htmlspecialchars($user_data); ?> </p>

So, is this a safe way to block any XSS?

Thanks!

  • 写回答

1条回答 默认 最新

  • dongxie9448 2014-01-12 14:42
    关注

    From a security standpoint, there is no need to use your sanitize function as long as you escape / process your data correctly for the medium you are outputting to:

    • Using htmlspecialchars() is all that is needed for output to html;
    • Use json_encode if you need to output to javascript;
    • Use prepared statements with bound variables for your database;
    • etc.
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

    报告相同问题?

    悬赏问题

    • ¥20 C语言字符串不区分大小写字典排序相关问题
    • ¥15 关于#python#的问题:我希望通过逆向技术爬取1688搜索页下滑加载的数据
    • ¥15 学习C++过程中遇到的问题
    • ¥15 关于Linux的终端里,模拟实现一个带口令保护的屏保程序遇到的输入输出的问题!(语言-c语言)
    • ¥15 学习C++过程中遇到的问题
    • ¥15 请问,这个嵌入式Linux系统怎么分析,crc检验区域在哪
    • ¥15 二分类改为多分类问题
    • ¥15 Unity微信小游戏上调用ReadPixels()方法报错
    • ¥15 如何通过求后验分布求得样本中属于两种物种其中一种的概率?
    • ¥15 q从常量变成sin函数,怎么改写python代码?