问题
Is it okay to employ a function that sanitizes the incoming inputs due to a form submission or any other request. It is time saving but the question of effectivenss and efficiency still haunts me. For instance,
function clearSpecialChars($str)
{
$str=htmlentities($str);
$str=strip_tags($str);
$str=mysql_real_escape_string($str);
return $str;
}
so that when I get a form submission I do:
$username=clearSpecialChars($_REQUEST['username']);
$email=clearSpecialChars($_REQUEST['email']);
Fundamentally, I am not desiring any html inputs from the user.
回答1:
each function serves its own purpose, you shouldn't use any function not for their intended use.
- you should use mysql_real_escape_string before using the parameter in mysql query.
- you should use htmlspecialchars before outputting to page.
that's about it.
回答2:
Yes, you can create a simple function to sanitize a value before use it. I use a function like that:
function sanitize($value)
{
return htmlentities(addslashes($value));
}
Which escape ' and " and convert all applicable character in html entities. Mine is more complicated with other option, but you can begin from it.
来源:https://stackoverflow.com/questions/8800986/is-it-recommended-to-have-a-santizing-function-that-combines-two-or-more-built-i