PHP $ _SERVER ['HTTP_HOST']转义,这看起来可以接受吗?
[英]PHP $_SERVER['HTTP_HOST'] escaping, does this look acceptable?
问题描述
I am just learning about escaping things and started reading about how it could be risky to use $_SERVER['HTTP_HOST'] due to XSS attacks. 
我正在学习逃避的事情,并开始阅读由于XSS攻击而使用$_SERVER['HTTP_HOST']会有多大风险。
I came up with this and was wondering if I could get some feedback on my attempt. 我想出了这个,并想知道我是否可以得到一些关于我的尝试的反馈。
htmlspecialchars(
filter_var( $_SERVER[ 'HTTP_HOST' ], FILTER_SANITIZE_URL ),
ENT_QUOTES, 'UTF-8'
)
Does it look okay? 看起来好吗?
So much depends on this one variable being secure, I just had to ask for input. 这么多取决于这个变量是安全的,我只需要求输入。
EDIT: 编辑:
I will be using this for display throughout the site, including basic anchor-hrefs, form-actions, etc. 我将在整个网站上使用它进行显示,包括基本的锚点hrefs,表单动作等。
2 个解决方案
解决方案1
3 2009-09-22 19:35:37
It depends on what do you want to use for. 这取决于你想要用什么。 If you want to display it, use htmlspecialchars. 如果要显示它,请使用htmlspecialchars。 If you want to use as a database query, you might use mysql_real_escape_string in case of mysql. 如果要将其用作数据库查询,则可以在mysql的情况下使用mysql_real_escape_string。 (or prepared statements) (或准备好的陈述)
解决方案2
3 已采纳 2009-09-22 20:05:25
Different escaping functions should be used for different situations, for example: 不同的转义函数应该用于不同的情况,例如:
-
urlencodefor items that will be dropped in a query string in an<a>tag, ie.urlencode用于将放在<a>标签中的查询字符串中的项目,即。echo '<a href="index.php?foo=' . urlencode($foo) . '">';(see alsohttp_build_query)(另见http_build_query) -
mysql_real_escape_stringfor variables going in a SQL statement (though I prefer bind variable)mysql_real_escape_string用于SQL语句中的变量(虽然我更喜欢绑定变量) -
htmlentitiesfor strings you want to display to the user, that may possibly have HTML within (see alsostrip_tags)您希望向用户显示的字符串的htmlentities,可能包含HTML(另请参阅strip_tags)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.