开发者

Php GET and POSTs: what is the safest way to handle them?

开发者 https://www.devze.com 2023-03-28 06:23 出处：网络

I\'m already using http://php.net/pdo so I can get whatever I want from the user input, I store it in a safe way in 开发者_StackOverflow社区my database.

相关专题：php security

I'm already using http://php.net/pdo so I can get whatever I want from the user input, I store it in a safe way in 开发者_StackOverflow社区my database.

Now I want to display what I have in my database into a Web page. How can I construct a Web page a be sure that there can be no JavaScript or whatever that will be executed when the page is displayed?

Sorry I'm very tired, I've been working for 12 hours now, if someone can correct the mistakes I've done when posting my question...

Thank you very much.

htmlentities(stripslashes($stmt_result->data), ENT_QUOTES, 'UTF-8');

htmlentities() will encode chars like > to > and stripslashes() will delete backslashes from escaped string.

Use htmlentities before outputting the text from the database.

You'll need to use striptags() and htmlentities(). But simply removing <script> blocks won't be enough, as you'll still have the onWhatever="" tags attributes to worry about as well.