I've written a decent admin interface that includes inventory management, content management, and blogging. Now its time to lock it down and make it secure (Yes, I should have been doing it from the beginning...
For blog creation/editing, I'm using ckeditor which posts HTML output to editblog.php. Also i'm using simple text inputs for Title, Author, etc...
I'm concerned because the blog will have img src="uploads/etc.jpg", as well as divs, spans, etc...
SO! When I sanitize this data, how do I make sure that all those quotes and slashes can be safely shoved into my SQL database, and what do i do to spit it back out on the frontend? I'm also concerned because if the blogger "quotes" something, I don't want that to be messed with either.
Simple input like title, author, etc I'm using $title = mysqli_real_escape_string($title) But is that enough? How do I preserve the user's intended input while avoiding attack?
I've done my research and yet I still don't get it. I hope someone can break it down nice and simple for me...
Nice and simple...
You always sanitize for the context to which you want to write.
These techniques will preserve the user's input, but prevent that input from being interpreted as code within a specific context.
When you want to query the database, you are worried about SQL injection attacks:
When you want to display something (as HTML) that will be parsed by the browser, you are worried about cross site scripting:
This will provide a basic level of security.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.