I got
$id = (int) $_POST['id']
$content = filter_input(INPUT_POST, 'post_content', FILTER_SANITIZE_STRING);
The above, is making my $content string secured, when I post it to the database:
$conn->new->query("UPDATE `posts` SET `content` = " . $conn->escape_string($con开发者_开发问答tent) . " where `id` = {$id};");
But at the same, is does remove some special characters like tags, for example I can not use < in my post , because it'll be removed.
How can I modify that, to be secured enough and at the same prevent my code from hack?
Escaping is the process of allowing certain characters that could have detrimental effects on the target system. For example, MySQL uses characters like quotes and parentheses. mysql_real_escape_string escapes such characters so they don’t pollute the queries.
You don’t necessarily need to sanitize HTML from data before storing it in the database, but you MUST escape harmful characters. As @Damien pointed out in a comment, you can escape HTML (which could have detrimental effects on your HTML) before output .
Just use real_escape_string() and already must good and secure ^_^
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论