[英]URL filtering in php, filter_var or htmlentities
For a secure url query, what is more secure? 对于安全的URL查询,什么更安全? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ?
filter_var($ string,FILTER_SANITIZE_SPECIAL_CHARS)或htmlentities ?
第一个显然是为了这个目的而设计的。
What are you defending against? 你在防守什么? A vulnerability is highly dependent on how the data is being used.
漏洞很大程度上取决于数据的使用方式。 Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea.
它不可能创建一个防止一切的函数调用,混合保护系统(如xss和sql注入)是一个非常糟糕的主意。
For XSS you should use: htmlspecialchars($var, ENT_QUOTES);
对于XSS,您应该使用:
htmlspecialchars($var, ENT_QUOTES);
For Sql Injection in mysql you should use mysql_real_escape_string($var);
对于mysql中的Sql Injection,你应该使用
mysql_real_escape_string($var);
If you are passing user input to system()
or another similar function then you should use escapeshellarg($var);
如果要将用户输入传递给
system()
或其他类似函数,则应使用escapeshellarg($var);
These are the top 3 and mixing these will cause nothing but problems. 这些是前三名,混合这些只会造成问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.