更新时间:2023-01-15 22:36:27
您似乎将转义与数据验证和数据清理混淆了.
您需要验证传入的任何数据.是的,这意味着确保单选按钮包含合法值.
You need to validate any data that comes in. Yes, this means making sure that radio buttons contain legal values.
您需要清理任何传入的数据.该文本字段是否应包含 HTML?不?strip_tags
.该字段应该是数字吗?将其转换为整数.
You need to sanitize any data that comes in. Should that text field contain HTML? No? strip_tags
. Should that field be a number? Cast it as an integer.
您需要转义您放在数据库中的任何数据.如果您仍在使用史前的mysql"扩展,这意味着在构建查询时对所有内容使用 mysql_real_escape_string
—— 而不是之前.
You need to escape any data that you place in the database. If you're still using the prehistoric "mysql" extension, this means using mysql_real_escape_string
on everything as you build your query -- not before.
您需要转义任何您回显给用户的数据.htmlspecialchars
是你的朋友.
You need to escape any data you echo to the user. htmlspecialchars
is your friend.
我之前已经详细解释过,虽然这不是一个重复的问题.
I've previously explained this in more detail, though this is not a duplicate question.