问题描述
我应该将htmlentities
与strip_tags
一起使用吗?
Should I use htmlentities
with strip_tags
?
当添加到数据库中并考虑删除输出中的htmlentities
时,我当前正在使用strip_tags
;我想避免在服务器上生成HTML时进行不必要的处理.
I am currently using strip_tags
when adding to database and thinking about removing htmlentities
on output; I want to avoid unnecessary processing while generating HTML on the server.
仅使用strip_tags
而不允许使用标签是安全的吗?
Is it safe to use only strip_tags
without allowed tags?
推荐答案
首先:仅在需要时使用转义方法. IE.如果您将某些内容插入数据库,则仅对数据库进行转义,即应用 mysql_real_escape_string
(或PDO->quote
或您正在使用的任何数据库层).但是,请不要对输出应用任何转义.尚无strip_tags
或类似名称.这是因为您可能想在其他地方使用存储在数据库中的数据,在这些地方不需要HTML转义,而只是使文本难看.
First: Use the escaping method only as soon as you need it. I.e. if you insert something into a database, only escape it for the database, i.e. apply mysql_real_escape_string
(or PDO->quote
or whatever database layer you are using). But don't yet apply any escaping for the output. No strip_tags
or similar yet. This is because you may want to use the data stored in the database someplace else, where HTML escaping isn't necessary, but only makes the text ugly.
第二:您不应该使用strip_tags
.它将全部删除标签. IE.用户得到的输入与输入的结果不同.请使用 htmlspecialchars
.它将为用户提供相同的输出,但将使其无害.
Second: You should not use strip_tags
. It removes the tags altogether. I.e. the user doesn't get the same output as he typed in. Instead use htmlspecialchars
. It will give the user the same output, but will make it harmless.
这篇关于strip_tags和htmlentities的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!