I'm starting studying PHP 5 (I always used PHP 4) and for this, I'm building a small (really easy) CMS. I saw in the manual that they added functions to filter vars. My CMS must handle some HTML content for the content of pages. Are these functions (filter_input, filter_var, ecc..) with sanitize filters enough? Or do I need to build a deeper custom function?
1条回答 默认 最新
- douqiang7462 2013-12-13 18:00关注
Yes, it's almost always enough to use them. However, depending on each query you do or each page content you show, keep in mind that not-so-special characters can also cause surprises. Briefly,
- If you insert into mysql, quote everything and don't let strings contain unhandled quotes. Use mysql_real_escape_string and his friends.
- If you write into a file, you're safe - mind only what you read back.
- If you put default values in input fields, watch out for the same quote that you use around the "value" property. Malicious strings will try to close quotes.
- If you output HTML, use html_special_chars to avoid surprises. Greater-sign and ampersand are your enemies if you don't handle them.
Sanitizers will do the rest for you (filtering low characters, etc).
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏 举报
悬赏问题
- ¥15 csmar数据进行spss描述性统计分析
- ¥15 各位请问平行检验趋势图这样要怎么调整?说标准差差异太大了
- ¥15 delphi webbrowser组件网页下拉菜单自动选择问题
- ¥15 wpf界面一直接收PLC给过来的信号,导致UI界面操作起来会卡顿
- ¥15 init i2c:2 freq:100000[MAIXPY]: find ov2640[MAIXPY]: find ov sensor是main文件哪里有问题吗
- ¥15 运动想象脑电信号数据集.vhdr
- ¥15 三因素重复测量数据R语句编写,不存在交互作用
- ¥15 微信会员卡等级和折扣规则
- ¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
- ¥15 随身WiFi网络灯亮但是没有网络,如何解决?