Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.9k views
in Technique[技术] by (71.8m points)

security - How to escape output in PHP

I am a newbie, just to be clear. I hear a lot about escaping data to prevent XSS attacks. How do I actually do that?

This is what I am doing currently -

$s = mysqli_real_escape_string($connect,$_POST['name']));

Is this enough? Thanks

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

If you output the data to html you should use htmlspecialchars() else, if you're storing the data in a database you should escape strings using mysqli_real_escape_string() and cast numbers (or use prepared statements for both) and protect identifiers/operators by whitelist-based filtering whem.

Both these methods are all you need if you use them the correct way.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...