PHP 中的清洁和安全字符串
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4451222/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Clean & Safe string in PHP
提问by Stefan
Possible Duplicates:
PHP: the ultimate clean/secure function
What's the best method for sanitizing user input with PHP?
What should I add to my function to be sure that every string that passes it will be 'server-friendly'? I use this small function to check inputs that contains names, e-mail addresses and ids.
我应该向我的函数添加什么以确保通过它的每个字符串都是“服务器友好的”?我使用这个小函数来检查包含姓名、电子邮件地址和 ID 的输入。
function checkInput($str) {
$str = @strip_tags($str);
$str = @stripslashes($str);
$str = mysql_real_escape_string($str);
return $str;
}
回答by Thibault Witzig
I would remove some special characters thet have nothing to do in such strings and could be used for code injections, like $ % # < > | and so on.
我会删除一些与此类字符串无关的特殊字符,可用于代码注入,例如 $ % # < > | 等等。
$invalid_characters = array("$", "%", "#", "<", ">", "|");
$str = str_replace($invalid_characters, "", $str);
回答by troelskn
回答by fire
What does server friendly mean?
服务器友好是什么意思?
For validation such as email addresses take a look at data filtering.
对于电子邮件地址等验证,请查看数据过滤。
To make sure a string is safe for database's use escaping such as mysql_real_escape_string
确保字符串对于数据库使用转义是安全的,例如 mysql_real_escape_string
When outputting data use htmlspecialchars
输出数据时使用 htmlspecialchars
