PHP $_SERVER['HTTP_HOST'] escaping, does this look acceptable?
Question
I am just learning about escaping things and started reading about how it could be risky to use $_SERVER['HTTP_HOST'] due to XSS attacks.
I came up with this and was wondering if I could get some feedback on my attempt.
htmlspecialchars(
filter_var( $_SERVER[ 'HTTP_HOST' ], FILTER_SANITIZE_URL ),
ENT_QUOTES, 'UTF-8'
)
Does it look okay?
So much depends on this one variable being secure, I just had to ask for input.
EDIT:
I will be using this for display throughout the site, including basic anchor-hrefs, form-actions, etc.
2 answers
solution1
3 2009-09-22 19:35:37
It depends on what do you want to use for. If you want to display it, use htmlspecialchars. If you want to use as a database query, you might use mysql_real_escape_string in case of mysql. (or prepared statements)
solution2
3 ACCPTED 2009-09-22 20:05:25
Different escaping functions should be used for different situations, for example:
-
urlencodefor items that will be dropped in a query string in an<a>tag, ie.echo '<a href="index.php?foo=' . urlencode($foo) . '">';(see alsohttp_build_query) -
mysql_real_escape_stringfor variables going in a SQL statement (though I prefer bind variable) -
htmlentitiesfor strings you want to display to the user, that may possibly have HTML within (see alsostrip_tags)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.