security - How to escape output in PHP

Question

Welcome To Ask or Share your Answers For Others

security - How to escape output in PHP

posted Oct 24, 2021 in Technique[技术] by 深蓝 (71.8m points)

security - How to escape output in PHP

I am a newbie, just to be clear. I hear a lot about escaping data to prevent XSS attacks. How do I actually do that?

This is what I am doing currently -

$s = mysqli_real_escape_string($connect,$_POST['name']));

Is this enough? Thanks

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙；凝视深渊过久,深渊将回以凝视…

1 Reply

深蓝 · Answer 1 · 2021-10-23T20:04:48+0000

If you output the data to html you should use htmlspecialchars() else, if you're storing the data in a database you should escape strings using mysqli_real_escape_string() and cast numbers (or use prepared statements for both) and protect identifiers/operators by whitelist-based filtering whem.

Both these methods are all you need if you use them the correct way.

Categories

security - How to escape output in PHP

security - How to escape output in PHP

Please log in or register to add a comment.

Please log in or register to reply this article.

1 Reply

Please log in or register to add a comment.

Just Browsing Browsing

Most popular tags