,<,\\ ... to be typed in an upload forms text field? The text will be send through PHP to a blog." />
开发者

Disallow characters in text field

开发者 https://www.devze.com 2023-03-14 02:12 出处:网络
Should I disallow characters like \",\',>,<,\\ ... to be typed in an upload forms text field? The text will be send through PHP to a blog.

Should I disallow characters like ",',>,<,\ ... to be typed in an upload forms text field? The text will be send through PHP to a blog.

I heared that some characters might cause trouble and could be used to "hack / harm" serve开发者_如何学运维rs. Which characters should be restricted?

Thanks for your input. Michael


There is no need to restrict anything. The problem is that you have to sanitize all user input; for this specific type of data (possible HTML) it is necessary and enough to use htmlspecialchars on all user-provided data before displaying it as part of your page.

For example, if your form has a textarea named post-body, you should receive the user input (e.g. with $_REQUEST['post-body']) and save it to your database as-is (warning: use mysql_real_escape_string or PDO to protect yourself from SQL injection at this stage!). When the time comes to display it, you would retrieve it from the database and print it with something like

echo htmlspecialchars($postBody);

See this question for some more background on data sanitization.


Users data should be sanitized by htmlspecialchars function each time when you output users data, to avoid XSS-attacks.

Also, to work with users data in sql-queries, use PDO and prepared statements or mysql_real_escape_string function to avoid SQL-injection. Example.


  <?    $string = str_replace("\\\"", "\"", $string);
        $string = htmlspecialchars($string);
        $string = preg_replace( "/\r\n|\n|\r/", "<br>", $string );   ?>

<input type = "text" name = "string" id = "string" value = "<?=$string?>">
0

精彩评论

暂无评论...
验证码 换一张
取 消