PHP清理和转义特殊字符
[英]PHP Sanitising and escaping special characters
问题描述
I'm new to PHP, and I've got a form where people can submit values to a DB. 
我是PHP的新手,并且有一种表单,人们可以在其中向数据库提交值。 Later those values will either be injected using JS, or be placed straight inside an HTML document. 稍后,这些值将使用JS注入,或直接放置在HTML文档中。
I'm using the following to sanitise my inputs: 我正在使用以下内容来清理输入内容:
function sanitise($str){
$string = htmlspecialchars($str);
$string = mysql_real_escape_string($str);
return $string;
}
The problem with this is that inside my DB, the inputs that have quotes look like this: input's . 问题是在我的数据库中,带引号的输入看起来像这样: input's 。 This means if I insderted that value inside JS, the quotation mark would screw everything up. 这意味着如果我将该值插入JS内,则引号会将所有内容弄乱。
I tried doing this to avoid the quote: 我尝试这样做以避免引用:
function sanitise($str){
$string = htmlspecialchars($str);
$string = mysql_real_escape_string($str);
return addslashes($string);
}
This converts my DB entry to something that looks like this: input\\'s . 这会将我的数据库条目转换为如下形式: input\\'s 。 This works within JS but if I was to inject that value directly inside <div></div> then the backslash will still be present... I'm confused as to what I'm doing wrong - how could I sanitize my inputs and at the same time universally escape special characters for both HTML and JS? 这在JS中有效,但是如果我直接在<div></div>注入该值,则反斜杠仍然存在...我对自己做错的事情感到困惑-如何清理输入内容并同时针对HTML和JS普遍转义特殊字符?
1 个解决方案
解决方案1
1 2013-09-18 02:24:11
Sanitisation of data means different things at different steps of your workflow. 数据消毒意味着在工作流程的不同步骤中发生不同的事情。 You also don't want to do it repeatedly or you will be propagating escape characters. 您也不想重复执行此操作,否则您将传播转义符。
The modern approach is to try to work with data in the correct representation. 现代的方法是尝试以正确的表示形式处理数据。 That means if you have a name O'Niell then that's the actual content of the string. 这意味着,如果您有一个名字O'Niell那么这就是字符串的实际内容。 Usually this means data coming from the web browser can be used as provided. 通常,这意味着可以按提供的方式使用来自Web浏览器的数据。 (Just make sure that magic quotes are disabled.) (只需确保禁用了魔术引号。)
It is when you pass the data to other layers that it is sanitised. 只有当您将数据传递到其他层时,它才会被清除。 The simplest case is checking it is a number just before you use it as a number, such as to look up a database row. 最简单的情况是在将其用作数字之前检查它是否为数字,例如查找数据库行。 The next simplest is using functions such as mysqli_real_escape_string right at the point you are assembling the SQL and no earlier. 下一个最简单的方法是在组装SQL时就使用mysqli_real_escape_string函数,并且此过程不早。 (Using prepared statements will do this for you, BTW.) Putting data into a URL or into Javascript is likewise done the same: you escape the data at the point you are emitting it. (顺便说一句,使用准备好的语句将为您做到这一点。)将数据放入URL或Javascript同样也是如此:在发出数据时对数据进行转义。
Doing this as late as possible solves two problems. 尽早这样做可以解决两个问题。 The first is that you don't have the problem of working with escaped data. 首先是您没有使用转义数据的问题。 The second is that then you don't double-escape the data. 第二个是,您不必两次转义数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.