Yii filters XSS code to prevent SQL injection

White Wolf Source: Www.manks.top/article/yii2_filter_xss_code_or_safe_to_database

The copyright belongs to the author, welcome reprint, but without the consent of the author must retain this paragraph, and in the article page obvious location to the original link, otherwise reserves the right to pursue legal responsibility.

In actual development, the language or framework involved, the Web security issues are always unavoidable to consider, the subconscious considerations.

It means that there is a river, the river is very deep, in the case of no way to swim in the situation you can only follow the river only a bridge to walk over.

Well, let's see how the different versions of the YII framework deal with XSS attacks, SQL injection, and so on.

What, what, what is XSS, what is SQL injection? Oh my God, I am sorry, I do not know, this you ask small brother is ok, with you.

In layman's words, there are two principle questions:

1, form submission content, want to safely deposit the database

2, want to secure the output of the data

Some students have doubts come, my data are safe to the database, are already safe, I output to filter it? Bo Master si is Si Fanhun, have trouble le.

No hurry, let's take a look at how yii is dealing with what we call a security issue.

Whether it is Yii or YII2 version, data query, data warehousing, we can be very good with AR operation, so that the ash is often simple to avoid the SQL injection problem, why so easy to avoid it, this is because the bottom of the AR, in fact, the encapsulation of PDO, so, Mom doesn't have to worry about injecting any more.

There are students muttering, we query the SQL is very complex, with Yii ar operation can not, do not write SQL, you look to do it. Scare the children, there is no operation, the first time to see!

Of course, in the case that does not involve receiving parameters, or to use the native SQL you arbitrarily, but involved in the case of external parameters, if you want to use SQL query please try to use the placeholder to operate, not do not believe your own "filter", in fact, I do not believe, if you insist on your own write native SQL, you feel free to

Let's take a look at question 2, the output of data security, which is still a little bit different in yii and Yii2.

Yii, plain text output, very simple, we want to output the content Chtml::encode () can, don't yell, I know what you want to say, for the output of HTML text, you can use the following methods:

$purifier = new Chtmlpurifier;echo $purifier->purify ($content);

Rest assured, the code inside the JS what all will be in the form of text output display, then the problem of XSS here we can rest assured.

If YII2, how to deal with it?

<?= \yii\helpers\html::encode ($title)//Plain text?>

<?= \yii\helpers\htmlpurifier::p rocess ($content)//html text to display?>

Note: The processing of the Htmlpurifier help class is time consuming and it is recommended to increase the cache

Yii filters XSS code to prevent SQL injection