问题描述
用户将在textarea中输入文本。然后将其直接插入到mySQL数据库中。我使用trim,htmlentities,mysql_real_escape_string,并启用了魔术引号。如何在将数据输出回textarea时清理它?我从来没有太确定这样做的正确方式...您不应该使用 htmlentities
保存时。显示时应该使用 htmlentities
。经验法则是不需要对数据进行编码/清理,直到需要为止。如果您在保存时对其执行 htmlentities
,那么当用户想要编辑时,您必须对文本执行 html_entity_decode
输入。所以,你可以净化你所需要的东西,而不是更多。保存时,您需要清理SQL注入,以便 mysql_real_escape_string
它。显示时,您需要清理XSS,因此您 htmlentities
它。
另外,我不确定是否你看到了Darryl Hein的评论,但你真的不想要magic_quotes启用。 ,并且从PHP 5.3开始已经被弃用了,完全在PHP 6中完成。
A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes enabled. How should I sanitize it when outputting that data back into a textarea?
Thanks for your help. I've never been too sure on the correct way of doing this...
You shouldn't use htmlentities
when saving it. You should use htmlentities
when displaying it. The rule of thumb is not to encode/sanitize the data until you need to. If you do htmlentities
on it when you save then you have to do html_entity_decode
on the text when the user wants to edit the input. So you sanitize for what you need and nothing more. When saving it, you need to sanitize for SQL injection, so you mysql_real_escape_string
it. When displaying, you need to sanitize for XSS, so you htmlentities
it.
Also, I am not sure if you saw Darryl Hein's comment, but you really do not want magic_quotes enabled. They are a bad, bad, thing and have been deprecated as of PHP 5.3 and will be gone altogether in PHP 6.
这篇关于如何正确清理从文本区域收到的数据,并将其输出回文本区域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!