防止将javascript输入表单或保存到数据库中
[英]Keep javascript from being entered into a form or saved into database
问题描述
How would I keep javascript and php code from being entered into a form or saved to a database ? 
如何避免将javascript和php代码输入表单或保存到数据库中? I'm still learning about client/server-side security and this seems to be an issue I need to resolve :p Could I do this on php side? 我仍在了解客户端/服务器端的安全性,这似乎是我需要解决的问题:p我可以在php端这样做吗?
2 个解决方案
解决方案1
1 已采纳 2011-07-27 06:31:03
When you are inserting in a database with php, you can use the the strip_tags() function. 使用php将数据库插入数据库时,可以使用strip_tags()函数。
eg: 例如:
$query="INSERT INTO `DB` (`id`,`data`)
VALUES (".$id.",".mysql_real_escape_string(strip_tags($data)).");";
$mysql_query($query) or die(mysql_error().'<br/><pre>'.$query.'</pre>');//Debug only
The strip_tags function will strip all the html tags from the passed variable including the tag <script> so no JavaScript will be passed. strip_tags函数将从传递的变量中剥离所有html标记,包括标记<script>,因此不会传递任何JavaScript。 http://php.net/manual/en/function.strip-tags.php http://php.net/manual/zh/function.strip-tags.php
Edit: 编辑:
Added the mysql_real_escape_string() 添加了mysql_real_escape_string()
解决方案2
0 2011-07-27 06:36:20
Blockquote Could I do this on php side?
You have to - never (ever!) trust incoming data or clientside security checks via Javascript. 您必须-永远(永远!)通过Javascript信任传入的数据或客户端安全检查。 Javascript can secure some content and take some workload off your server, but it is useless when bypassed or deactivated. Javascript可以保护某些内容并减轻服务器的工作量,但是当绕过或禁用它时,它是无用的。
Use the Internet Search Engine of your choice, look-up and learn more about SQL-injection / Cross Site Scripting (XSS) . 使用您选择的Internet搜索引擎,查找并了解有关SQL注入 / 跨站点脚本(XSS)的更多信息 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.