dqoag62688 2015-12-14 00:58
浏览 32
已采纳

Superglobals和htmlentities

I was reading about Superglobals and security. As a “rule”, I use htmlentities() for all the inputs and similar and for 

$_SERVER['HTTP_REFERER']; 
$_SERVER["REQUEST_METHOD"];
$_POST['thename'];
$_GET['thename'];

But since I am a novice I don´t know if I have to use it with some or all the other superglobals. I don´t know about security and maybe, someone can do “something” to put (or change) malicious code.

Do I have to use it just for those ones? Or are others to consider?

Thanks a lot.

I´m asking to learn in the good way.

  • 写回答

1条回答 默认 最新

  • dongshanfan1941 2015-12-14 01:57
    关注

    Don't use htmlentities(), use htmlspecialchars().

    And use that function whenever you have some plain text that should be inserted into HTML. This is without exception - always do it. It has nothing to do with security in the first place, it is simply the way to achieve correct text output.

    Other functions you should be using: urlencode() or rawurlencode().

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 Stata 面板数据模型选择
  • ¥20 idea运行测试代码报错问题
  • ¥15 网络监控:网络故障告警通知
  • ¥15 django项目运行报编码错误
  • ¥15 请问这个是什么意思?
  • ¥15 STM32驱动继电器
  • ¥15 Windows server update services
  • ¥15 关于#c语言#的问题:我现在在做一个墨水屏设计,2.9英寸的小屏怎么换4.2英寸大屏
  • ¥15 模糊pid与pid仿真结果几乎一样
  • ¥15 java的GUI的运用