php,filter_var或htmlentities中的URL过滤
[英]URL filtering in php, filter_var or htmlentities
问题描述
For a secure url query, what is more secure? 
对于安全的URL查询,什么更安全? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ? filter_var($ string,FILTER_SANITIZE_SPECIAL_CHARS)或htmlentities ?
2 个解决方案
解决方案1
3 2010-07-06 17:10:31
第一个显然是为了这个目的而设计的。
解决方案2
1 已采纳 2010-07-06 17:37:41
What are you defending against? 你在防守什么? A vulnerability is highly dependent on how the data is being used. 漏洞很大程度上取决于数据的使用方式。 Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea. 它不可能创建一个防止一切的函数调用,混合保护系统(如xss和sql注入)是一个非常糟糕的主意。
For XSS you should use: htmlspecialchars($var, ENT_QUOTES); 对于XSS,您应该使用: htmlspecialchars($var, ENT_QUOTES);
For Sql Injection in mysql you should use mysql_real_escape_string($var); 对于mysql中的Sql Injection,你应该使用mysql_real_escape_string($var);
If you are passing user input to system() or another similar function then you should use escapeshellarg($var); 如果要将用户输入传递给system()或其他类似函数,则应使用escapeshellarg($var);
These are the top 3 and mixing these will cause nothing but problems. 这些是前三名,混合这些只会造成问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.