不要相信外部源
- $_GET
- $_POST
- $_REQUEST
- $_COOKIE
- $argv
- php://stdin
- php://input
- file_get_contents()
- 远程数据库
- 远程api
- 来自客户端的数据
<?php
$input = '<p><script>alert("You won the Nigerian lottery!");</script></p>';
echo htmlentities($input, ENT_QUOTES, 'UTF-8').PHP_EOL;
// <p><script>alert("You won the Nigerian lottery!");</script></p>
$email = 'john介样子@example.com';
$emailSafe = filter_var($email, FILTER_SANITIZE_EMAIL);
echo $emailSafe.PHP_EOL;
// [email protected]
$string = "\ni18n说的话\t";
$safeString = filter_var(
$string,
FILTER_SANITIZE_STRING,
FILTER_FLAG_STRIP_LOW | FILTER_FLAG_ENCODE_HIGH
);
echo $safeString.PHP_EOL;
// i18n说的è¯