我有点困惑,PHP中有这么多函数,有的使用这个,有的使用那个.有人使用:htmlspecialchars(),htmlentities(),strip_tags()等
I am a bit confused, there are so many functions in PHP, and some using this, some using that. Some people use: htmlspecialchars(), htmlentities(), strip_tags() etc
哪个是正确的,你们通常使用什么?
Which is the correct one and what do you guys usually use?
这是正确的吗(如果有的话,建议我做一个更好的选择):
Is this correct (advise me a better one, if any):
$var = mysql_real_escape_string(htmlentities($_POST['username']));此行可以防止MySQL注入和XSS攻击?
This line can prevent MySQL injection and XSS attack??
顺便说一句,除了XSS攻击和MySQL注入之外,还有其他需要注意的事情吗?
编辑
总结:
如果要向数据库中插入字符串,则无需使用htmlentities,只需使用mysql_real_escape_string.显示数据时,请使用htmlentities(),这就是您的全部意思吗?
If I want to insert string to the database, I do not need to use htmlentities, just use the mysql_real_escape_string. When displaying the data, use htmlentities(), is that what you all mean??
总结:
-
插入数据库时使用的
- mysql_real_escape_string 将数据输出到网页时使用的
- htmlentities()
- htmlspecialchars()何时使用?
- strip_tags()何时使用?
- addslashes()何时使用?
- mysql_real_escape_string used when insert into database
- htmlentities() used when outputting data into webpage
- htmlspecialchars() used when?
- strip_tags() used when?
- addslashes() used when?
有人可以填写问号吗?
推荐答案
- mysql_real_escape_string插入数据库时使用 将数据输出到网页时使用的
- htmlentities()
- htmlspecialchars()何时使用?
- strip_tags()何时使用?
- addslashes()何时使用?
- mysql_real_escape_string used when insert into database
- htmlentities() used when outputting data into webpage
- htmlspecialchars() used when?
- strip_tags() used when?
- addslashes() used when?
何时使用htmlspecialchars()?
htmlspecialchars与htmlentities大致相同.区别在于:字符编码.
htmlspecialchars() used when?
htmlspecialchars is roughly the same as htmlentities. The difference: character encodings.
都对控制字符进行编码,例如<,>,&等,用于打开标签等.htmlentities还编码来自其他语言的字符,例如变音符号,欧元符号等.如果您的网站是UTF,请使用htmlspecialchars(),否则请使用htmlentities().
Both encode control characters like <, >, & and so on used for opening tags etc. htmlentities also encode chars from other languages like umlauts, euro-symbols and such. If your websites are UTF, use htmlspecialchars(), otherwise use htmlentities().
htmlspecialchars/entities对特殊字符进行编码,因此会显示但不会解释. strip_tags删除它们.
htmlspecialchars / entities encode the special chars, so they're displayed but not interpreted. strip_tags REMOVES them.
实际上,这取决于您需要做什么.
In practice, it depends on what you need to do.
一个例子:您已经为一个论坛编写了代码,并为用户提供了一个文本字段,以便他们可以发布内容.恶意用户可以尝试:
An example: you've coded a forum, and give users a text field so they can post stuff. Malicious ones just try:
pictures of <a href="javascript:void(window.setInterval(function () {window.open('evil');}, 1000));">kittens</a> here如果您不执行任何操作,将显示该链接,并且单击该链接的受害者会弹出很多弹出窗口.
If you don't do anything, the link will be displayed and a victim that clicks on the link gets lots of pop-ups.
如果您的输出是htmlentity/htmlspecialchar,则文本将保持原样.如果您剥离它,它只会删除标签并显示它:
If you htmlentity/htmlspecialchar your output, the text will be there as-is. If you strip_tag it, it simply removes the tags and displays it:
pictures of kittens here有时您可能想要混合,在其中留一些标签,例如<b>(strip_tags可以在其中留某些标签).这也是不安全的,因此最好对XSS使用一些完整的库.
Sometimes you may want a mixture, leave some tags in there, like <b> (strip_tags can leave certain tags in there). This is unsafe too, so better use some full blown library against XSS.
引用旧版本的PHP手册:
在数据库查询等中需要返回的字符前返回带反斜杠的字符串.这些字符是单引号('),双引号(),反斜杠()和NUL( NULL 字节).
在向数据库中输入数据时,使用 addslashes()的示例.例如,要将名称 O'reilly 插入数据库中,您将需要对其进行转义.强烈建议使用DBMS特定的转义函数(例如,对于MySQL,使用mysqli_real_escape_string();对于PostgreSQL,则使用pg_escape_string()),但是如果您使用的DBMS没有转义功能,并且DBMS使用\来转义特殊字符,则表示可以使用此功能.
An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. It's highly recommeneded to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function.
当前版本的用词不同.
更多推荐
如何防止PHP中的代码注入攻击?
发布评论