发表新帖
发表新帖

Escaping variables

后端 未结
关注
4 1800
轻奢々
轻奢々 2020-12-10 21:11

I\'ve read that it\'s enough and even recommended to escape characters on the output, not on the input.

It could be easily applied to all get variables as they are n

4条回答
  • 时光说笑
    时光说笑 (楼主)
    2020-12-10 21:48

    escape characters on the output, not on the input

    Yes.

    easily applied to all get variables

    But $_GET is by definition input

    Isn't it escaping variables twice ?

    No - by escaping the content you're just insulating it from mis-interpretation by the processing agent. The database doesn't store the escaped data, it stores the original data.

    Hence if start with 

    O'Reilly

    Then escape to splice it into a SQL string....

    O\'Reilly

    Then the value stored in the database, and retrieved by a SELECT statement is 

    O'Reilly

    And when you want to output it your HTML, then you pass it though htmlspecialchars() to get

    O"Reilly

    You use an appropriate method for escaping the data depending on where it's going - hence you use mysql_real_escape() or paramter binding or similar when putting stuff INTO your database, and htmlspecialchars() when putting stuff INTO html

    0 讨论(0)
 看不清?
提交回复
热议问题