2016-06-14 11:16 阅读 52


I am writing a code which will process the user text input in a registration form. I have implemented the following function which make sure that the input data is safe:

function input_check($Indata, $dbc) {       // input_check($Indata, $dbc)
    $Indata = trim($Indata);                // remove white spaces 
    $Indata = stripslashes($Indata);        // remove back slashes
    $Indata = strip_tags($Indata);          // remove html tags
    $Indata = htmlspecialchars($Indata);    // convert html entities
    $Indata = mysql_real_escape_string($Indata,$dbc);
    return $Indata;

Is there any other processing that I have to do in order to ensure that the input is safe?

I meant safe from malicious input data

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    doty58493 doty58493 2016-06-14 11:35

    Your strategy to use all possible escaping mechanisms may be safe, but will make your application too complex - imagine what you need to do, to use the data (which seems to be stored in a MySQL database later, right?) to print it in a html form later.

    A more wise approach is, to use only the adequate escaping mechanism depending on the use of the data:

    • to store data in a MySQL database, use a database escaping mechanism (btw instead of mysql_real_escape_string() which is deprecated, use PDO::quote() or even better use parameter binding which already does escaping for you)
    • to print stored data in html text use htmlspecialchars(), possibly in conjunction with strip_tags()
    • to print stored data in html attributes use htmlspecialchars() together with urlencode()

    ... and so on. Then you will most likely be safe of SQLInjection, XSS attacks and so on.

    点赞 评论 复制链接分享