[英]Is Regex for Form Validation if I use the following?
I know there is no harm in adding it either way but I'm curious... 我知道无论如何添加它都没有害处,但我很好奇......
If I was to use htmlentities(); 如果我要使用htmlentities(); with ENT_QUOTES and then mysql_real_escape_string(); 使用ENT_QUOTES然后使用mysql_real_escape_string(); the variable before entering it into the Database, then just use html_entity_decode(); 在将变量输入数据库之前的变量,然后只需使用html_entity_decode(); along with stripslashes(); 与stripslashes(); to display the information... 显示信息......
Would this still be safe and secure? 这仍然是安全的吗?
You don't need to use htmlentities before storing data in the database. 在将数据存储到数据库之前,您不需要使用htmlentities。 In fact, it makes things easier later if you don't. 事实上,如果你不这样做,它会让事情变得更容易。 Only use htmlentities on strings as you echo them in HTML output (whether you fetched the string from a database or from some other source). 在HTML输出中回显它们时,只对字符串使用htmlentities(无论是从数据库还是从其他来源获取字符串)。
You don't need to apply stripslashes to data after you fetch it from the database. 从数据库中获取数据后,您不需要对数据应用stripslashes。 The database has not stored the extra escaping characters -- unless you applied double-escaping by mistake. 数据库没有存储额外的转义字符 - 除非您错误地应用了双重转义。
Here's the right sequence: 这是正确的顺序:
Get data from a form 从表单中获取数据
$input = $_GET["input"];
Apply escaping once . 申请逃脱一次 。
$quoted_input = "'" . mysql_real_escape_string($input) . "'";
Insert it into the database 将其插入数据库
$sql = "INSERT INTO MyTable (column1) VALUES ($quoted_input)"; $success = mysql_query($sql);
Later fetch it from the database 稍后从数据库中获取它
$sql = "SELECT column1 FROM MyTable"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $data = $row["column1"];
Apply htmlentities once as you output. 输出时应用htmlentities 一次 。
echo htmlentities($data);
Maybe you can answer the question on your own if you know what these functions are intended to be used for: 如果您知道这些函数的用途,您可以自己回答这个问题:
htmlentities
is to replace the HTML special characters &
, <
, >
, and "
and characters that can be represented by entity character references . This is used to encode data to be safely put out in any HTML context (especially with ENT_QUOTES so that it even can be used in single quoted attribute values). For example: htmlentities
是替换HTML特殊字符&
, <
, >
和"
和可以由实体字符引用表示的字符 。这用于编码数据,以便在任何HTML上下文中安全地输出(特别是使用ENT_QUOTES,以便它甚至可以在单引号属性值中使用。)例如:
<textarea><?php echo htmlentities('</textarea>'); ?></textarea>
mysql_real_escape_string
is to replace the special characters in a MySQL string while taking the connection character encoding into account (using mysql_client_encoding
is required). mysql_real_escape_string
用于替换MySQL字符串中的特殊字符,同时考虑连接字符编码(需要使用mysql_client_encoding
)。 This is used to encode data to be safely used in a MySQL string. 这用于编码要在MySQL字符串中安全使用的数据。 For example: 例如:
$query = 'SELECT "'.mysql_real_escape_string("\\n\\r\\t\\v\\f\\\\\\"").'"';
html_entity_decode
is the inverse function to htmlentities
and replaces HTML character references (both numeric and entity character references). html_entity_decode
是htmlentities
的反函数,并替换HTML字符引用(数字和实体字符引用)。
stripslashes
removed the escape character \\
. stripslashes
删除了转义字符\\
。
If you just want to protect you from SQL injections, use mysql_real_escape_string
for data that is used in MySQL queries. 如果您只想保护自己免受SQL注入,请将mysql_real_escape_string
用于MySQL查询中使用的数据。 You could also use prepared statements or parameterized query builder (see SQL Syntax for Prepared Statements , PDO – Prepared Statements und Stored Procedures , MySQLi::prepare , et al.). 您还可以使用预准备语句或参数化查询构建器(请参阅准备语句的SQL语法 , PDO - 准备语句和存储过程 , MySQLi :: prepare等)。
are you asking if you still need regex as form validation next to all those functions? 你问的是你是否还需要正则表达式作为所有这些功能旁边的表单验证?
if that is what you are asking then in my opinion yes, you can never be safe enough. 如果这就是你所要求的那么在我看来是的,你永远不够安全。 I've just written a validation class with functions that clean up the code and other functions with regex when I need a specific input. 我刚刚编写了一个验证类,其函数可以在需要特定输入时使用正则表达式清理代码和其他函数。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.