我想知道,下面的例子中的最佳做法是什么。
I was wondering, whats the best practice on the example below.
<?php if(isset($_POST['query'])){ $out = $_POST['query']; } ?> <div><?php echo $out; ?></div> <input type="text" value="<?php echo $out; ?>" />使用上述代码会对网站构成威胁。或者我需要在使用之前准备输出,如上所述。通过准备我的意思是编码或转义特殊字符。
Using the above code would this pose a threat to website. Or would I need to prepare the output before using it as above. By prepare I mean encode it or escape special characters.
我知道您需要转义它并验证数据库使用的输入,输出方式如何? >
I am aware you need to escape it and validate inputs for db use, how about for outputting it?
推荐答案是的,由于你把它放在HTML中,你应该使用 htmlspecialchars :
Yes, since you’re putting it out into HTML you should use encode HTML’s special characters appropriately with htmlspecialchars:
if (isset($_POST['query'])) { $out = htmlspecialchars($_POST['query']); }此外, $ out 仅在 $ _ POST ['query'] 存在时定义;如果 $ _ POST ['query'] 不存在,则应考虑使用默认值。否则,如果启用了注册全局变量(这是一个坏主意),您可以通过URL查询字符串与?out = ... 。
Besides that, $out is only defined when $_POST['query'] exists; you should think about having a default value if $_POST['query'] does not exist. Because otherwise, when register globals are enabled (that alone is a bad idea) you could set that variable via the URL query string with ?out=….
更多推荐
PHP输出的最佳做法
发布评论