不要相信外部源
- $_GET
- $_POST
- $_REQUEST
- $_COOKIE
- $argv
- php://stdin
- php://input
- file_get_contents()
- 远程数据库
- 远程api
- 来自客户端的数据
<?php $input = '<p><script>alert("You won the Nigerian lottery!");</script></p>'; echo htmlentities($input, ENT_QUOTES, 'UTF-8').PHP_EOL; // <p><script>alert("You won the Nigerian lottery!");</script></p> $email = 'john介样子@example.com'; $emailSafe = filter_var($email, FILTER_SANITIZE_EMAIL); echo $emailSafe.PHP_EOL; // [email protected] $string = "\ni18n说的话\t"; $safeString = filter_var( $string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_ENCODE_HIGH ); echo $safeString.PHP_EOL; // i18n说的è¯