开发者

Safe string output

I got

$id = (int) $_POST['id']
$content = filter_input(INPUT_POST, 'post_content', FILTER_SANITIZE_STRING);

The above, is making my $content string secured, when I post it to the database:

$conn->new->query("UPDATE `posts` SET `content` = " . $conn->escape_string($con开发者_开发问答tent) . " where `id` = {$id};");

But at the same, is does remove some special characters like tags, for example I can not use < in my post , because it'll be removed.

How can I modify that, to be secured enough and at the same prevent my code from hack?


Escaping is the process of allowing certain characters that could have detrimental effects on the target system. For example, MySQL uses characters like quotes and parentheses. mysql_real_escape_string escapes such characters so they don’t pollute the queries.

You don’t necessarily need to sanitize HTML from data before storing it in the database, but you MUST escape harmful characters. As @Damien pointed out in a comment, you can escape HTML (which could have detrimental effects on your HTML) before output .


Just use real_escape_string() and already must good and secure ^_^

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜