In PHP, do I need to escape form submissions before I check if they're empty?
i.e. would something such as empty($_POST['email']) be vulnerable to code injection, or not?
PHP在检查之前是否已转义
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
1条回答 默认 最新
- drxyaox153896 2016-10-29 01:44关注
OWASP site (https://www.owasp.org/index.php/Code_Injection) define code injection as
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application.
PHP empty function determines if a variable is empty or not. Since it is not really executing the code, it is safe.
What you do after empty matters? For example, if you plan to use the $_POST['email'] as part of the SQL query or use it in an external shell command or using it in an HTML output, you need to escape it accordingly. Depending on the usage, there are escaping functions. For SQL injections, PHP provides mysql_real_escape_string. For shell command, escapeshellcmd and escapeshellarg. For HTML output to avoid XSS attacks, PHP htmlentities.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报 分享
- 2016-10-29 01:07回答 1 已采纳 OWASP site (https://www.owasp.org/index.php/Code_Injection) define code injection as Code Inj
- 2018-06-11 17:30回答 2 已采纳 Try: var allMarkers = ["{\"address_components\":[{\"long_name\":\"London\",\"short_name\":\
- 2017-08-06 22:27回答 2 已采纳 Mixing php / js can be a bit confusing because the quotes can intersect. Notice that we're using
- 2021-04-25 02:06常晓锁的博客 如果想自己定义那些文件需要转义可以使用autoescape_on方法Youcanoverridethatorcompletelydisableauto-escapingbycallingtheautoescape_onmethod://只转义文件名结尾是.php.html的文件//e来自:博客则就会导致各种...
- 2017-05-02 00:11回答 1 已采纳 $str = rtrim($str); $str = rtrim($str, $_POST['trim']); Will remove whitespace at the end of the
- 2021-09-29 07:34回答 1 已采纳
- 2018-01-28 13:54回答 1 已采纳 Given what you posted for code and if I am getting what you're asking is that you need to encase t
- 2021-05-02 03:39揍悦的博客 php如何转义mysql中的特殊字符在php中可以通过mysqli_real_escape_string函数转义在mysql中使用的字符串中的特殊字符,其语法是“mysqli_real_escape_string(connection,escapestring);”。推荐:《PHP视频教程》PHP...
- 2016-03-03 01:14回答 1 已采纳 Maybe it's work of directive magic_quotes_gpc see: http://php.net/manual/en/function.addslashes.ph
- 2017-04-30 17:44回答 3 已采纳 As @quentin mentioned, you're trying to echo a php tag, which you cannot. To use a variable inside
- 2019-10-18 01:54回答 3 已采纳 ``` //将Unicode编码的中文转换成utf8编码的中文 function decodeUnicode($str){ return preg_replace_callback(
- 2021-03-23 13:41李凤台的博客 我正在尝试使用PHP进行api调用.参数之一是货币我的API调用就像$call=".....¤cy=USD&.......";$response = hash_call("Pay", $call);?>但是,如果我打印呼叫,它将打印为....¤cy=USD&.......我...
- 2016-02-16 16:30回答 1 已采纳 In the queries where you try to use variables you're forgetting the quotes for the values: $price
- 2021-03-23 15:56Actor.又戈叔的博客 php转义单引号的方法:使用【addslashes()】函数在指定的预定义字符前添加反斜杠,语法为【addslashes(string)】,string是必需,规定要检查的字符串。本教程操作环境:windows7系统、PHP5.6版,DELL G3电脑。php...
- 2020-10-10 02:29ustcsse2019-lee的博客 本文仅介绍PHP中的一些转义函数的使用。 互联网中一切的输入都不可信,有用户可以自由输入的地方就可能存在着安全漏洞。转义函数的使用就是为了提高系统的安全性,防止潜在的攻击,如SQL注入,XSS攻击等。本文介绍六...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 shape_predictor_68_face_landmarks.dat
- ¥15 slam rangenet++配置
- ¥15 有没有研究水声通信方面的帮我改俩matlab代码
- ¥15 对于相关问题的求解与代码
- ¥15 ubuntu子系统密码忘记
- ¥15 信号傅里叶变换在matlab上遇到的小问题请求帮助
- ¥15 保护模式-系统加载-段寄存器
- ¥15 电脑桌面设定一个区域禁止鼠标操作
- ¥15 求NPF226060磁芯的详细资料
- ¥15 使用R语言marginaleffects包进行边际效应图绘制