开发者

how to remove hazardous character in php

I have to remove hazardous chracter from my query post string. Is there any function define in开发者_运维知识库 php to remove directly or another way ?


First thing first what do you use these strings for ?

  • If you store them in a database : use parameterized queries (use mysqli or PDO instead of mysql).
  • If you display them in a webpage : use htmlspecialchar to filter HTML code
  • If you use it to redirect the user to some page : filter \n and \r character
  • If you use it to send emails : filter \n and \r characters too
  • If you want to avoid CSRF : don't forget to check the random token you'll have put in your form
  • If you use it to get the path to a file on your system : don't
  • Whatever you do, don't forget to use the filter_input function to get your data as it handle the magic_quotes

Don't forget to check the OSWAP top 5


I hope you aren't putting sql queries into a GET string... but whatever.

If this is for a query, use mysql_real_escape_string.


In normally for this, we can use addslashes and stripslashes in php.

But better method is to use mysql_real_escape_string for query to avoid this type of sql injection.


Filter the input?


Use strip_tags(), htmlspecialchars() and htmlentities().

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜