Geek Answers Handbook

Verify user input?

I am very confused by something and wondered if anyone could explain.

In PHP, I check user input so that htmlentitiies, mysql_real_escape_string is used before inserting into the database, and not into everything, since I prefer to use regular expressions when I can, although it’s hard for me to work. Now, obviously, I will use mysql_real_escape_string as the data arrives at the database, but it is not necessary to use htmlentities () only when retrieving data from the database and displaying it on a web page, as this makes it handy modifies data entered by a person who does not save it in its original form, which can cause problems if I want to use this data later for use for something else.

So, for example, I have a guest book with three field names, a subject and a message. Now it’s obvious that the fields can contain something like malicious code in js tags, basically something, now they confuse me, let's say I'm a malicious person, and I decided to use js tags and some malicous js code and submit the form , now basically I have malicious useless data in my database. Now, using htmlentities when outputting malicious code to a web page (guestbook) is not a problem because htmlentities turned it into a safe equivalent, but at the same time I have useless malicious code in a database that I would prefer have.

Therefore, having said all this, I must answer that some of the data in the database can be malicious, useless data, and as long as I use htmlentities in the output, everything will be fine or I should do something else.

I read so many books about filtering data when it is received and exited when it is output, so the original form is saved, but they only ever give examples, such as ensuring that the field is only int, using functions already built-in php, etc., but I never found anything in terms of providing something like a guestbook, where you want users to enter whatever they want, as well as how you could filter such data other than mysql_real_escape_string () to ensure it doesn't break query the database?

-, , , ?

, .

!

+5
3

, , :

" HTML, ?"

, HTML ( htmlspecialchars), , , .

: . , , - , . mysql_real_escape_string, , ; SQL. htmlspecialchars HTML; , HTML. htmlspecialchars , .

, . "" ( , HTML , !), HTML (, XML , - HTML ?), ?

( ..). , ( JS, ).

PHP - , , PDO, mysql_real_escape_string . PDO , .

+2

mysql_real_escape_string() - , . , - , "" .

htmlentities() htmlspecialchars() , /. HTML, HTMLPurifier, .

+1

There is no reason to worry that the database has malicious JavaScript code if you avoid HTML when it exits. Just make sure that you always avoid everything that comes out of the database.

0
source

More articles:


All Articles