Securing fetched data with PHP
Question
So this week I'm going to secure my PHP application as much as possible. I retrieve data from the database a lot, so I need some basic tips that would help me secure the below code.
Thanks, im just a newbie.
<?php
mysqli_select_db($connect,"users");
$select="select * from members";
$result=mysqli_query($connect,$select);
$row=mysqli_fetch_array($result);
//this is what i want to secure -- down
$a = $row['name'];
$b = $row['add'];
?>
Thanks.
3 answers
solution1
1 2011-02-01 19:49:47
使用htmlspecialchars()对要在浏览器中显示的用户输入/数据库中的所有内容进行编码,以避免使用XSS 。
solution2
0 2011-02-01 19:50:27
You basically need to secure BEFORE sending data to the DB (against SQL injection), and BEFORE outputting to html (against XSS). Those things are important, while inside your script almost everything is pretty much harmless (and can lead to errors on subsequent codes, btw).
solution3
0 2011-02-01 19:53:22
At first hand, do you have any security when inputing data in your database ? You code may be vurnalable to SQL Injection if you do not sanitize your data when inserting into the database. For that - check this function http://php.net/manual/en/mysqli.real-escape-string.php
Another thing is that, html and javascript can be inserted in your database, and if you do not escape it and use print that data to HTML, you are vurnalable to Cross-Site-Scripting . You should escape your data using http://bg.php.net/manual/en/function.htmlentities.php . or http://bg.php.net/manual/en/function.htmlspecialchars.php
Security is a big topic, but this can be a start for you - escape your input first, then take care of the output.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.