{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 祖国的老花朵 的问题《PHP / JAVASCRIPT / Mysql: Preventing javascript in》','https://www.manongdao.com/q-1008227.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
This may be a possible duplicate of this question here, but it doesn´t really adress and answer my question in a way that I (stupid-head) can understand it.
Ok, I´ve got a webpage formular as seen in my previous question. Before using $txtpost for mysql query injection, I now added $ txtpost = htmlentities($txtpost, ENT_QUOTES);, which should protect me from XSS-attacks. But, as a user points out on php.net, won´t protect me from javascript injections. That said, how can I prevent such javascript injections? As you can see in the code from the previous question, i don´t know what exactly will be entered into the text field, so I can´t only allow specific values. Note that all code from the previous question, which was wrong, is now repaired and it all works fine at the moment.
VicStudio
相关问题
- Views base64 encoded blob in HTML with PHP
- Is there a limit to how many levels you can nest i
- Laravel Option Select - Default Issue
- How to toggle on Order in ReactJS
- PHP Recursively File Folder Scan Sorted by Modific
Well, it is true that you won't be protected from people putting HTML into your database.
First of all
Will escape quotes, rendering an SQL-injection less probable. But I can still do
OR 1 = 1. Which renders every statement true. Modern technology relies on prepared statements (How to replace MySQL functions with PDO?)If you read the above you'll see a PDO example of prepared statement. You can also do this with MySQLi. It prevents the fact that people can do SQL injection.
Second: Yes, I can still put things like
Into your database. You should define the elements you like into your database by using a sanity function. PHP gives you several
The conclusion is that you need to be in control. You decide what goes onto your page. So if you want to be safe you can filter everything and put it on your page as plain text. For safety I recommend sanitizing three times. Before the stuff is posted, when it is passed onto the database and again when it is put onto the page. This way you minimalize the danger of having an injection.