javascript 禁用输入字段中的 html 标签、php、脚本
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/12045634/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
disable html tag, php, script from input field
提问by kaboom
Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site
I have a form that user can fill in their personal information. The user submits the form and A web service will process these information and store the information in mysql database.
我有一个表格,用户可以填写他们的个人信息。用户提交表单,Web 服务将处理这些信息并将这些信息存储在 mysql 数据库中。
But what if users enter html tag, php code, or javascript in the input field. I would like to prevent that. I know in javascript there's a method call escapehtml, in php it's strip_tags.
但是如果用户在输入字段中输入 html 标签、php 代码或 javascript 呢?我想阻止这种情况。我知道在javascript中有一个方法调用escapehtml,在php中它是strip_tags。
I just want to know the correct way of disabling the abilities to type html, php, script from input field. Do I use strip_tags for all input I received?If I use strip_tags, how to disable script? Or there is away to do it in mysql?
我只想知道禁用从输入字段输入 html、php、脚本的能力的正确方法。我收到的所有输入都使用strip_tags吗?如果我使用strip_tags,如何禁用脚本?或者在mysql中可以做到吗?
Thank you
谢谢
This is the form:
这是表格:
<div>
<label class='info-title whitetext' for="name">Full Name: </label>
<input type="text" name="name" id="name" size='25' maxlength="100" required />
</div>
<div>
<label class='info-title whitetext' for="phone">Phone: </label>
<input type='text' pattern='\d+' name='phone' id='phone' size='25' maxlength='12' />
</div>
<div>
<label class='info-title' for="email">Email: </label>
<input type="email" name="email" id="email" size='35' maxlength="60" required />
</div>
<div>
<label class='info-title' for="address">Address: </label>
<input type="text" name="address" id="address" size='45' maxlength="50" required />
</div>
采纳答案by Thomas
Try htmlspecialchars($string);
尝试 htmlspecialchars($string);
That will encode all the HTML tags to character codes (<div>would become <div>, which will be displayed without being parsed as html) This way, script tags cannot be created as well.
这会将所有 HTML 标签编码为字符代码(<div>将变成<div>,将显示而不被解析为 html)这样,脚本标签也无法创建。
Be sure to clean the content before supplying it to a database though, for example by escaping with mysqli_escape_string()(others will probably advice you to use preparestatements).
在将内容提供给数据库之前一定要清理内容,例如通过转义mysqli_escape_string()(其他人可能会建议您使用prepare语句)。
It is most likely notbest practice to put HTML character encoded strings into the database, as it simply increases the string size unnecessarily. (And it doesn't provide protection against SQL injection on its own)
将 HTML 字符编码的字符串放入数据库很可能不是最佳实践,因为它只会不必要地增加字符串大小。(并且它本身不提供针对 SQL 注入的保护)
回答by Xavier_Ex
You cannot disable "the abilities to type html, php, script from input field", unless you check users' input in real time and specifically block them when you detect that a tag is entered. Yet I don't see a reason why anyone would want that, the proper way is to properly process users' input when submitted.
您不能禁用“从输入字段键入 html、php、脚本的功能”,除非您实时检查用户的输入并在检测到输入标签时专门阻止他们。然而,我不明白为什么有人会想要这样做,正确的方法是在提交时正确处理用户的输入。
For html tags or php codes or things like that you can definitely use escapehtml or strip_tags, but if you are later putting the content into mysql, I have to remind you of sql injection attack.
对于html标签或者php代码或者类似的东西你肯定可以使用escapehtml或者strip_tags,但是如果你以后把内容放到mysql中,我不得不提醒你sql注入攻击。
If you are not familiar with the term, users can type in mysql queries that interfere with your sql queries. If we blindly insert user provided content into our "INSERT" statements, those statements might be altered by sql keywords in user's input.
如果您不熟悉该术语,用户可以输入干扰您的 sql 查询的 mysql 查询。如果我们盲目地将用户提供的内容插入到我们的“INSERT”语句中,这些语句可能会被用户输入中的 sql 关键字更改。
For ways to prevent sql injection attack, you can take a look at wiki's page for a good start: http://en.wikipedia.org/wiki/SQL_injection#Mitigation
有关防止 sql 注入攻击的方法,您可以查看 wiki 的页面以获得良好的开端:http: //en.wikipedia.org/wiki/SQL_injection#Mitigation
回答by Niet the Dark Absol
Personally, I just like to do $out = str_replace("<","<",$in). It provides the least possible disruption for the user, and they are most likely to get out what they typed in.
就个人而言,我只是喜欢做$out = str_replace("<","<",$in)。它为用户提供了尽可能少的干扰,并且他们最有可能得到他们输入的内容。
If the user input may end up in an HTML attribute (for whatever reason), you should also replace "with ".
如果用户输入可能以 HTML 属性结尾(无论出于何种原因),您还应该替换"为".
Never put user-supplied content into a <script>tag, and never save it to a file without first performing the replacements.
永远不要将用户提供的内容放入<script>标签中,也不要在没有先执行替换的情况下将其保存到文件中。
