URL filtering in php, filter_var or htmlentities
Question
For a secure url query, what is more secure? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlentities ?
2 answers
solution1
3 2010-07-06 17:10:31
第一个显然是为了这个目的而设计的。
solution2
1 ACCPTED 2010-07-06 17:37:41
What are you defending against? A vulnerability is highly dependent on how the data is being used. Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea.
For XSS you should use: htmlspecialchars($var, ENT_QUOTES);
For Sql Injection in mysql you should use mysql_real_escape_string($var);
If you are passing user input to system() or another similar function then you should use escapeshellarg($var);
These are the top 3 and mixing these will cause nothing but problems.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.