我知道在网页上显示时需要使用htmlspecialchars转义输出。我必须使用htmlspecialchars转义所有输出变量吗?
我只是想知道,我是否需要为每个输出的单个数据执行该操作,或者只有那些用户可能控制的数据位?
例如,下面的第一个代码块没有转义,第二个代码已经转义了。
我是否需要转义一个数据库中的ID和一个只在页面内设置的变量?
或者只有包含用户可以编辑的数据的变量 - 在下面的例子中,它将是$ post_label和$ post_content。在逃跑前
代码:
while ($row = $stmt->fetch()){
$post_id = $row['ID'];
$post_date = $row['post_date'];
$post_content = $row['post_content'];
$post_label = $row['post_label'];
$fld_cat = $row['fld_cat'];
$post_day_num = date('N', strtotime($post_date));
if ($post_day_num > 5) {
$css = "success";
} else {
$css = "info";
}
$recent .= "<div class='alert alert-$css'>\n";
$recent .= " <div>\n";
$recent .= " <strong>" . date('D d-M-Y', strtotime($post_date)) . " | $fld_cat</strong> | \n";
$recent .= " <a href='default.php?id=$post_id&mode=edit'>Edit</a> | \n";
$recent .= " <a href='default.php?id=$post_id&mode=delete'>Delete</a>\n";
$recent .= " </div>\n";
$recent .= " <div>$post_content</div>\n";
$recent .= "</div>\n";
}
代码后逃逸:
while ($row = $stmt->fetch()){
$post_id = htmlspecialchars($row['ID']);
$post_date = htmlspecialchars($row['post_date']);
$post_content = htmlspecialchars($row['post_content']);
$post_label = htmlspecialchars($row['post_label']);
$fld_cat = htmlspecialchars($row['fld_cat']);
$post_day_num = htmlspecialchars(date('N', strtotime($post_date)));
if ($post_day_num > 5) {
$css = "success";
} else {
$css = "info";
}
$recent .= "<div class='alert alert-$css'>\n";
$recent .= " <div>\n";
$recent .= " <strong>" . date('D d-M-Y', strtotime($post_date)) . " | $fld_cat</strong> | \n";
$recent .= " <a href='default.php?id=$post_id&mode=edit'>Edit</a> | \n";
$recent .= " <a href='default.php?id=$post_id&mode=delete'>Delete</a>\n";
$recent .= " </div>\n";
$recent .= " <div>$post_content</div>\n";
$recent .= "</div>\n";
}