dtlab08822 2015-11-09 14:56
浏览 56

如何防止htmlspecialchars(PHP)转换为字符串中的整数

I am working on a web application where some data, stored in a database, is displayed in a div.

Since this data comes from the user, in order to prevent any javascript injection I want to use the htmlspecialchars() function for each single value extracted from the database before building my web page. I am using the following function to iterate through the arrays of data that I get from the database.

function filter(&$arr) {

         foreach ($arr as $key => &$val) {
            if (is_array($val)){
                $this->filter($val);
            }else{
                $val=htmlspecialchars($val);
            }
         } 

     }

But when the array of data is processed by this function the integer values are converted in to string.

Is there a way to prevent this conversion?

I prefere to have the integer as integer because part of the data is elaborated by javascript and some part of the code does not work properly if data are supplied as string. I am looking for a generic solution that can be applied no matter what type of data comes from the database.

  • 写回答

1条回答 默认 最新

  • dorkahemp972157683 2015-11-09 15:02
    关注

    you could do

    } else if (!is_int($val)) {
        $val = htmlspecialchars($val);
    }
    

    this won't be a security risk as if it's really an int it can not contain injections...

    评论

报告相同问题?

悬赏问题

  • ¥15 jupyterthemes 设置完毕后没有效果
  • ¥15 matlab图像高斯低通滤波
  • ¥15 针对曲面部件的制孔路径规划,大家有什么思路吗
  • ¥15 钢筋实图交点识别,机器视觉代码
  • ¥15 如何在Linux系统中,但是在window系统上idea里面可以正常运行?(相关搜索:jar包)
  • ¥50 400g qsfp 光模块iphy方案
  • ¥15 两块ADC0804用proteus仿真时,出现异常
  • ¥15 关于风控系统,如何去选择
  • ¥15 这款软件是什么?需要能满足我的需求
  • ¥15 SpringSecurityOauth2登陆前后request不一致