列出数据库中的值时是否需要清理?

时间:2017-12-20 10:38:41

标签: php xss filter-var

关于PDO想要确保在选择查询后清理值时是做对还是错,尤其是在避免xss攻击时。

$cagri_durumb = 1;
$bek_servis = $user_home->runQuery('SELECT * FROM cagri_kayitlari INNER JOIN 
personeller ON cagri_kayitlari.cagri_servis_perid = personeller.per_id WHERE 
cagri_durum = :cagri_durum AND cagri_islem_tarihi NOT BETWEEN :bugun AND 
:yarin');                           
$bek_servis->bindParam(':cagri_durum', $cagri_durumb, PDO::PARAM_STR);
$bek_servis->bindParam(':bugun', $bugun, PDO::PARAM_INT);
$bek_servis->bindParam(':yarin', $yarin, PDO::PARAM_INT);
$bek_servis ->execute();
$bek_servisa = $bek_servis->fetchAll(PDO::FETCH_ASSOC);

foreach($bek_servisa as $servisa){

echo '<a href="servisbasla.php?id='.filter_var($servisa["cagri_id"], 
FILTER_SANITIZE_NUMBER_INT).'" data-toggle="tooltip" data-placement="left" 
title="'.filter_var($servisa['cagri_sebep'],  
FILTER_SANITIZE_STRING).'">'.filter_var($servisa["cari_unvan"], 
FILTER_SANITIZE_STRING).'</a> - '.filter_var($servisa["per_isim"], 
FILTER_SANITIZE_STRING).' / 
'.date("d.m.Y",strtotime($servisa['cagri_islem_tarihi'])).'<br />';}

在列出数据库中的值时,是否必须在每个echo中使用FILTER_SANITIZE ..过滤器?

如果我必须使用它们,对于文本值,FILTER_SANITIZE_STRING过滤器是否足够?

0 个答案:

没有答案