在PHP中将filter_var与htmlentities一起使用会很好吗?
[英]Is it good to use filter_var with htmlentities in PHP?
问题描述
I'm validating a POST request variables and I used to do like this: 
我正在验证POST请求变量,我以前经常这样做:
$email = htmlentities($_POST['email']);
But now I searched and learned about filter_var and I'm doing the validation like this: 但是现在我搜索并了解了关于filter_var的信息,并且正在像这样进行验证:
$email = filter_var(htmlentities($_POST['email']), FILTER_SANITIZE_EMAIL);
Which way is better? 哪种方法更好? and for all types of input [phone - string - etc ..] What I have to use? 对于所有类型的输入[电话-字符串-等。]我必须使用什么?
Sorry I'm a beginner and I've looked into the manual but I could't understand a lot. 抱歉,我是一个初学者,已经研究了手册,但我不太了解。
Thanks for help. 感谢帮助。
1 个解决方案
解决方案1
1 已采纳 2017-01-12 14:49:04
Only use the following line for emails: 仅对电子邮件使用以下行:
filter_input(INPUT_POST, "email", FILTER_SANITIZE_EMAIL);
This will correctly remove illegal chracters from an email character (such as ; and keep legal ones such as & or + 这样可以从电子邮件字符中正确删除非法字符(例如;并保留合法字符,例如&或+
Using htmlentities may turn a legal email address to an illegal one which FILTER_SANITIZE_EMAIL will then break. 使用htmlentities可能会将合法的电子邮件地址转换为非法的电子邮件地址,然后FILTER_SANITIZE_EMAIL将被破坏。
If you are dealing with user input for labels or descriptions then you can store said input normally (using prepared statements to allow the DB to escape the input correctly) and use htmlentities when displaying it on the page . 如果要处理标签或描述的用户输入,则可以正常存储所述输入 (使用准备好的语句以使DB正确转义输入),并在页面上显示时使用htmlentities 。 Alternatively you can use: 另外,您可以使用:
filter_input(INPUT_POST, "description", FILTER_SANITIZE_STRING);
This the string sanitize filter strips tags. 该字符串对过滤条标签进行消毒。
You can check more filters at : http://php.net/manual/en/filter.filters.sanitize.php 您可以在以下位置检查更多过滤器: http : //php.net/manual/en/filter.filters.sanitize.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.