I am following various steps to prevent any kind of injections or attacks on my web application. While I was following them a question came to my head: One of the very basic actions to take to prevent attacks on your web app is to prevent the user from writing malicious scripts that could possibly hurt the other users. In the sources I've read it said that you should use strip_tags()
or htmlentities()
but it wasn't clear enough if I should put it before I am inserting the user data into the database or before I am printing it out or maybe both..
So basically my question is when do I use these functions? And also what if I want to keep some of the html tags?{In case I am using a html text editor} and is it recommended at all?
Thanks in advance.
strip_tags()
is used to sanitize the data you receive from the users. It will try to remove all NULL bytes, HTML and PHP tags. Personally I am not a fan of this function as there are better ways to validate and sanitize input, e.g filter-input.
If you would like to keep some HTML you could take a look at http://htmlpurifier.org/
htmlentities()
is used to output data into HTML context. If you are displaying anything in HTML (doesn't matter where the data comes from) you should use this to prevent XSS. More information
To prevent SQL injections you should use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. If you make sure to never mix data and SQL you can insert any data you would like to DB, even other SQL.
They all have different uses and prevent different kind of bugs.
この記事はインターネットから収集されたものであり、転載の際にはソースを示してください。
侵害の場合は、連絡してください[email protected]
コメントを追加