发表新帖
发表新帖

PHP & mySQL: When exactly to use htmlentities?

后端 未结
关注
4 1167
遥遥无期
遥遥无期 2020-12-04 20:14

PLATFORM: PHP & mySQL

For my experimentation purposes, I have tried out few of the XSS injections myself on my own website. Consider this situat

相关标签:
4条回答
  • 终归单人心
    2020-12-04 20:50

    Here's the general rule of thumb.

    Escape variables at the last possible moment.

    You want your variables to be clean representations of the data. That is, if you are trying to store the last name of someone named "O'Brien", then you definitely don't want these:

    O'Brien
O\'Brien

    .. because, well, that's not his name: there's no ampersands or slashes in it. When you take that variable and output it in a particular context (eg: insert into an SQL query, or print to a HTML page), that is when you modify it.

    $name = "O'Brien";

$sql = "SELECT * FROM people "
     . "WHERE lastname = '" . mysql_real_escape_string($name) . "'";

$html = "<div>Last Name: " . htmlentities($name, ENT_QUOTES) . "</div>";

    You never want to have htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, or anything which isn't HTML?

    Keep the data clean, and only escape for the specific context of the moment.

    0 讨论(0)
  • 刺人心
    2020-12-04 20:51

    In essence, you should use mysql_real_escape_string prior to database insertion (to prevent SQL injection) and then htmlentities, etc. at the point of output.

    You'll also want to apply sanity checking to all user input to ensure (for example) that numerical values are really numeric, etc. Functions such as is_int, is_float, etc. are useful at this point. (See the variable handling functions section of the PHP manual for more information on these functions and other similar ones.)

    0 讨论(0)
  • 北荒
    2020-12-04 20:57

    I've been through this before and learned two important things:

    If you're getting values from $_POST/$_GET/$_REQUEST and plan to add to DB, use mysql_real_escape_string function to sanitize the values. Do not encode them with htmlentities.

    Why not just encode them with htmlentities and put them in database? Well, here's the thing - the goal is to make data as meaningful and clean as possible and when you encode the data with htmlentities like Jeff's Dog becomes Jeff&quot;s Dog ... that will cause the context of data to lose its meaning. And if you decide to implement REST servcies and you fetch that string from DB and put it in JSON - it'll come up like Jeff&quot;s Dog which isn't pretty. You'd have to add another function to decode as well.

    Suppose you want to search for "Jeff's Dog" using SQL "select * from table where field='Jeff\'s Dog'", you won't find it since "Jeff's Dog" does not match "Jeff&quot;s Dog." Bad, eh?

    To output alphanumeric strings (from CHAR type) to a webpage, use htmlentities - ALWAYS!

    0 讨论(0)
  • 醉梦人生
    2020-12-04 21:02
    1. Only before you are printing value(no matter from DB or from $_GET/$_POST) into HTML. htmlentities have nothing to do with database.
    2. B is overkill. You should mysql_real_escape_string before inserting to DB, and htmlentities before printing to HTML. You don't need to strip tags, after htmlentities tags will be displayed on screen as < b r / > e.t.c

    Theoretically you may do htmlentities before inserting to DB, but this might make further data processing harder, if you would need original text.

    3. See above
    0 讨论(0)
 看不清?
提交回复
热议问题