问题
In PHP, does one have to sanitize these types of inputs: radio buttons, checkboxes and <option>? Or do only the inputs where the user can enter arbitrary text have to be sanitized?
回答1:
The form you send to the client does not, in any way, limit what data they can send back.
So, yes, you need to provide sanity checking and suitable escaping for every piece of incoming data.
回答2:
Do you use PDO?
If not you need to sanitize them. Especially for <option>any value'here</option>
回答3:
In addition to the other answers, doing a custom ('hacked') POST/GET is always (easily) possible. You should always check EVERY variable that is customizable
来源:https://stackoverflow.com/questions/6280917/sanitize-radio-buttons-checkboxes-and-option