PHP PDO: how to prevent javascript and html tags injection
I am using following script to update some data in MYSQL table, for that i am taking data from user. But it is not preventing from javascript and html tags.
$attri= //containing field name like ("name=?, email=?")
$value= //containing corresponding values like ("john", "email@exam.com")
$sql_pro = "UPDATE regist SET ".$attri." WHERE user_id = ".$_SESSION['user_id'];
$stmt_pro = $db->prepare($sql_pro);
$i=1;
foreach($value as $k=>$v){
$stmt_pro->bindValue($i,$v, PDO::PARAM_STR);
$i++;
}
$stmt_pro->execute();
if($stmt_pro){
return true;
}
How can i prevent from javascript and html tag injection?
Update Is there any good way to sanitize input field data before adding into database in PHP PDO.
I know how to do it with mysql_real_escape_string, htmlentities and strip_tags. thanks
You need proper form input validation and output escaping. Use htmlspecialchars()
when you display your string.
As far as sanitizing input, strip_tags
is the quck n' dirty way to do what you want but a much better practice is to make a list of characters that are allowed and use regex to validate.
if (preg_match('/[^a-zA-Z0-9_]/', $username)) {
//Contains a character not in A-Z,0-9, or underscore
} else {
//Username is fine
}
链接地址: http://www.djcxy.com/p/93760.html
上一篇: 用准备好的PDO语句解释消毒输入