I'm starting studying PHP 5 (I always used PHP 4) and for this, I'm building a small (really easy) CMS. I saw in the manual that they added functions to filter vars. My CMS must handle some HTML content for the content of pages. Are these functions (filter_input, filter_var, ecc..) with sanitize filters enough? Or do I need to build a deeper custom function?
1条回答 默认 最新
douqiang7462 2013-12-13 18:00关注Yes, it's almost always enough to use them. However, depending on each query you do or each page content you show, keep in mind that not-so-special characters can also cause surprises. Briefly,
- If you insert into mysql, quote everything and don't let strings contain unhandled quotes. Use mysql_real_escape_string and his friends.
- If you write into a file, you're safe - mind only what you read back.
- If you put default values in input fields, watch out for the same quote that you use around the "value" property. Malicious strings will try to close quotes.
- If you output HTML, use html_special_chars to avoid surprises. Greater-sign and ampersand are your enemies if you don't handle them.
Sanitizers will do the rest for you (filtering low characters, etc).
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 回答 1 已采纳 Yes, it's almost always enough to use them. However, depending on each query you do or each page c
- 2011-02-23 05:41回答 5 已采纳 An important rule to live by is FIEO. Filter Input Escape Output. ANY information that you take a
- 2010-02-25 20:10回答 3 已采纳 filter_var() is a good start. If you are planning on using these inputs in any type of SQL stateme
- 2021-04-09 10:49柳叶锈刀的博客 thinkphp6 输入变量过滤官方文档地址:变量过滤框架默认没有设置任何全局过滤规则,你可以在app\Request对象中设置filter全局过滤属性:namespace app;class Request extends \think\Request{protected $filter = ['...
- 2012-01-10 15:42回答 2 已采纳 node-validator is the perfect library for this, it has many functions for both validation and sani
- 2018-05-19 22:51回答 1 已采纳 You will have to search for cities and add category property to the data you are sending to your a
- 2014-04-11 16:13回答 2 已采纳 Since you only check the values, it is not strictly necessary in the sample code you gave. HOWEVER
- 2016-12-27 15:40loophome的博客 一、什么是XSS攻击 XSS攻击是指恶意攻击者往Web页面里插入恶意Script代码,当用户浏览该页之时,嵌入其中Web里面的...<?php $slogan_type = isset($_GET['slogan_type']) ? $_GET['slogan_type'] : 'default'; ?>
- 2014-07-31 23:13回答 1 已采纳 I set up this example with the filter_startsWith option set to true and it appears to work when I
- 2011-08-30 12:11回答 2 已采纳 include 'mysql_connect.php'; if(isset($_POST['submit'])){ if($_POST['inputEmail'] == ''){
- 2015-06-30 14:06回答 1 已采纳 For this kind of functionality look into AngularJS.
- 2019-03-03 21:18默先森-Jan的博客 在防止被注入攻击时,常会用到两个函数:htmlspecialchars()和addslashes()函数。这两个函数都是对特殊字符进行转义。...这是我们可对读取出来的数据使用htmlspecialchars()进行过滤,避免执行被注入的脚本。
- 2022-03-27 10:53回答 3 已采纳 1 设置同name表格,就可以保存为数组。如: <input type=text name=s value=1> <input type=text name=s value=2>
- 2023-06-12 06:41士别三日wyx的博客 PHP://filter协议 PHP filter 过滤器
- 2021-03-25 10:14三符的博客 21M语言:中文 评分:7.5标签:立即下载PHP输入和输出流是通过php://来访问的,它允许访问 PHP 的输入输出流、标准输入输出和错误描述符, 内存中、磁盘备份的临时文件流以及可以操作其他读取写入文件资源的过滤器。...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 csmar数据进行spss描述性统计分析
- ¥15 各位请问平行检验趋势图这样要怎么调整?说标准差差异太大了
- ¥15 delphi webbrowser组件网页下拉菜单自动选择问题
- ¥15 wpf界面一直接收PLC给过来的信号,导致UI界面操作起来会卡顿
- ¥15 init i2c:2 freq:100000[MAIXPY]: find ov2640[MAIXPY]: find ov sensor是main文件哪里有问题吗
- ¥15 运动想象脑电信号数据集.vhdr
- ¥15 三因素重复测量数据R语句编写,不存在交互作用
- ¥15 微信会员卡等级和折扣规则
- ¥15 微信公众平台自制会员卡可以通过收款码收款码收款进行自动积分吗
- ¥15 随身WiFi网络灯亮但是没有网络,如何解决?