Based on your questions I am assuming you are attempting to filtering bad values. I personally feel that this method can get very complex very quickly and would recommend encoding values as an alternate method. Here is an IBM article on the subject that lays out the pros and cons of both methods, http://www.ibm.com/developerworks/tivoli/library/s-csscript/.

根据您的问题，我假设您正在尝试过滤错误值。我个人觉得这种方法很快就会变得非常复杂，并且会推荐编码值作为替代方法。这是一篇关于该主题的 IBM 文章，列出了两种方法的优缺点，http://www.ibm.com/developerworks/tivoli/library/s-csscript/。

To avoid SQL injection attacks just use prepared statements instead of creating SQL strings.

为了避免 SQL 注入攻击，只需使用准备好的语句而不是创建 SQL 字符串。

Here's a pretty extensive articleon that very subject.

这是一篇关于这个主题的非常广泛的文章。

I don't think you'll have a holy grail here though. I would also suggest trying to encode/decode the received text in some standard ways (uuencode, base64)

我不认为你会在这里有一个圣杯。我还建议尝试以某些标准方式（uuencode、base64）对接收到的文本进行编码/解码

Validating and binding all data is a must. Perform both client-side and server-side validatation, because 10% of people turn off JavaScript in their browsers.

必须验证和绑定所有数据。执行客户端和服务器端验证，因为 10% 的人在他们的浏览器中关闭了 JavaScript。

Jeff Atwood has a nice blogabout the topic that gives you a flavor for its complexity.

Jeff Atwood 有一篇关于该主题的精彩博客，让您了解其复杂性。

If you attempt to sanitize all the data on input, you're going to have a very difficult time of it. There are tons of tricks involving character encoding and such that will allow people to circumvent your filters. This impressive listis only some of the myriad things that can be done as SQL injections. You've also got to prevent HTML injection, JS injection, and potentially others. The only sure way of doing this is to encode the data where it is used in your application. Encode all the output you write to your web site, encode all of your SQL parameters. Be especially careful with the latter, as normal encoding will not work for non-string SQL parameters, as explained in that link. Use parameterized queries to be completely safe. Also note that you could theoretically encode your data at the time the user enters it and store it encoded in the database, but that only works if you're always going to be using the data in ways that use that type of encoding (i.e. HTML encoding if it will only ever be used with HTML; if it's used in SQL, you're not going to be protected). This is partially why the rule of thumb is to never store encoded data in the database and always encode on use.

如果您尝试清理输入中的所有数据，您将遇到非常困难的时期。有大量涉及字符编码的技巧，可以让人们绕过您的过滤器。这个令人印象深刻的名单这只是可以作为 SQL 注入完成的无数事情中的一部分。您还必须防止 HTML 注入、JS 注入和其他潜在的注入。这样做的唯一可靠方法是对应用程序中使用的数据进行编码。对您写入网站的所有输出进行编码，对所有 SQL 参数进行编码。对后者要特别小心，因为正常编码不适用于非字符串 SQL 参数，如该链接中所述。使用参数化查询是完全安全的。另请注意，理论上您可以在用户输入数据时对数据进行编码并将其存储在数据库中，但这只有在您始终以使用该类型编码（即 HTML）的方式使用数据时才有效编码，如果它只会与 HTML 一起使用；如果它在 SQL 中使用，你 不会受到保护）。这就是为什么经验法则是永远不要将编码数据存储在数据库中并始终在使用时进行编码的部分原因。

Take a look at the AntiSamy project [www.owasp.org]. I think it is exactly what you want; you can setup a filter to block certain tags. They also supply policy templates, the slashdot policy would be a good start, then add on the tags you require.

看看AntiSamy 项目 [www.owasp.org]。我认为这正是你想要的；您可以设置过滤器来阻止某些标签。他们还提供策略模板，slashdot 策略将是一个好的开始，然后添加您需要的标签。

Also, there is a wealth of knowledge on the www.osasp.org website about securing your application.

此外，www.osasp.org 网站上有大量有关保护您的应用程序的知识。

What user 'nemo' says about using prepared statements and encoding should also be performed.

还应该执行用户 'nemo' 关于使用准备好的语句和编码的内容。

don't filter or block values.

不要过滤或阻止值。

1. you should ensure that when combining bits of text you do the proper type conversions :) ie: if you have a piece a string which is type HTML and a string which is type TEXT you should convert TEXT to HTML instead of blindly concatenating them. in haskellyou can conveniently enforce this with the type system.

1. 您应该确保在组合文本位时进行正确的类型转换 :) 即：如果您有一个 HTML 类型的字符串和一个 TEXT 类型的字符串，您应该将 TEXT 转换为 HTML，而不是盲目地连接它们。在haskell 中，您可以使用类型系统方便地强制执行此操作。

good html templating languages will escape by default. if you are generating XML/HTML then sometimes it is better to use DOM tools than a templating language. if you use a DOM tool then it removes a lot of these issues. unfortunately, DOM tool is usually crap compared to templating :)

默认情况下，好的 html 模板语言将转义。如果您正在生成 XML/HTML，那么有时使用 DOM 工具比使用模板语言更好。如果您使用 DOM 工具，那么它会消除很多这些问题。不幸的是，与模板相比，DOM 工具通常是垃圾:)

1. if you take strings of type HTML from users you should sanitize it with a library to remove all not-good tags/attributes. there are lots of good whitelist html filters out there.
2. you should always use parameterized queries. ALWAYS! if you have to build up queries dynamically then build them up dynamically with parameters. don't ever combine non-SQL typed strings with SQL typed strings.

2. 如果您从用户那里获取 HTML 类型的字符串，您应该使用库对其进行清理以删除所有不好的标签/属性。有很多很好的白名单 html 过滤器。
3. 您应该始终使用参数化查询。总是！如果您必须动态构建查询，则使用参数动态构建它们。永远不要将非 SQL 类型的字符串与 SQL 类型的字符串组合在一起。