此代码中的变量是否正确转义?

Are the variables in this code properly escaped?

我想我已经正确地逃脱了一切,但我想知道我是否做对了。我记得在某处读到我们不应该过滤输入,只过滤输出。就我而言,这是否意味着我不应该在任何地方使用函数 sanitize ?并坚持 prepare statementshtmlscpecialchars

<?php
    #Connection to the database
    function dbcon (){
        try{
            $db = new PDO('mysql:dbname=php_test;host=localhost','root','mysql');
        }
        catch (PDOException $e){
            echo $e->getMessage();
            exit();
        }
        return $db;
    }

    #Sanitize the input for preventing hacking attempts
    function sanitize($data) {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;
    }

    #Get the list of countries from the DB
    function getCountries() {
        $db = dbcon();
        $query = "SELECT country FROM countries";
        $stmt = $db->prepare($query);
        $stmt->execute();
        $countries = "";
        while ($row = $stmt->fetch()) {
            $countries .= '<option value= "'.$row['country'].'">'.$row['country'].'</option>';
        }
        return $countries;
    }


    $name = $email = $password = $password2 = $country = "";
    $validForm = True;

    #If it's a submission, validate the form
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        $db = dbcon();

        #Name validation
        $name = sanitize($_POST["name"]);
        if ((strlen($name) < 2) || (strlen($name) > 50)) {
            echo "<span style=\"color: #FF0000;\"> Name must have between 2 and 50 characters </span> <br>";
            $name = "";
            $validForm = False;
        }

        #Email validation
        $email = sanitize($_POST["email"]);
        if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
            echo "<span style=\"color: #FF0000;\"> Check the format of the email </span> <br>";
            $email = "";
            $validForm = False;
        }
        else { #If it's a valid email, check whether or not it's already registered
            $query = "SELECT email FROM users;";
            $stmt = $db->prepare($query);
            $stmt->execute();
            $found = False;
            while (($row = $stmt->fetch()) and (!$found)) {
                if ($row["email"] == $email) {
                    $found = True;
                }
            }
            if ($found) {
                echo "<span style=\"color: #FF0000;\"> This email is already registered </span> <br>";
                $email = "";
                $validForm = False;
            }
        }

        #Password validation
        $password = sanitize($_POST["pass1"]);
        if ((strlen($password) < 6) || (strlen($password) > 20)) {
            echo "<span style=\"color: #FF0000;\"> Password must have between 6 and 20 characters </span> <br>";   
            $validForm = False;
        }
        else { #If it's a valid password, check whether or not both passwords match
            $password2 = sanitize($_POST["pass2"]);
            if ($password != $password2) {
                echo "<span style=\"color: #FF0000;\"> Passwords don't match </span> <br>";
                $validForm = False;
            }
            #If passwords match, hash the password
            else {
                $password = password_hash($password, PASSWORD_DEFAULT);
            }
        }

        #We don't need to validate country because it's retrieved from the DB, but we sanitize it just in case a hacker modified the POST using a proxy
        $country = sanitize($_POST["country"]);

        #All checks done, insert into DB and move to success.php
        if ($validForm) {
            $query = "INSERT INTO users VALUES(:name, :email, :password, :country);";
            $stmt = $db->prepare($query);
            $stmt->bindParam(':name', $name);
            $stmt->bindParam(':email', $email);
            $stmt->bindParam(':password', $password);
            $stmt->bindParam(':country', $country);
            $stmt->execute();
            header("Location: success.php");
        }
    }
?>
<html>
    <head>
    </head>
    <body>
        <!-- Submitting to this very file -->
        <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>" method="post">
            <table>
                <tr> <!-- Name -->
                    <td><label for="name">Name:</label></td>
                    <td><input type="text" name="name" value="<?php echo htmlspecialchars($name); ?>" required /></td> 
                    <td><span style="color: #FF0000;">*</span></td> 
                    <td>Between 2 and 50 characters</td>
                </tr>
                <tr> <!-- Email -->
                    <td><label for="email">Email:</label></td>
                    <td><input type="text" name="email" value="<?php echo htmlspecialchars($email); ?>" required/></td> 
                    <td><span style="color: #FF0000;">*</span></td>
                    <td>Must be a valid address</td>
                </tr>
                <tr> <!-- Password -->
                    <td><label for="pass1">Password:</label></td>
                    <td><input type="password" name="pass1" required/></td> 
                    <td><span style="color: #FF0000;">*</span> </td>
                    <td>Between 6 and 20 characters</td>
                </tr>
                <tr> <!-- Confirm password -->
                    <td><label for="pass2">Confirm password:</label></td>
                    <td><input type="password" name="pass2" required/></td>
                    <td><span style="color: #FF0000;">*</span></td>
                    <td>Must be the same as the password</td>
                </tr>
                <tr> <!-- Country -->
                    <td><label for="country">Country:</label></td>
                    <td><select name="country"> <?php echo getCountries(); ?></select></td>
                    <td><span style="color: #FF0000;">*</span></td> 
                </tr>
                <tr>
                    <td><input type="submit"></td>
                </tr>
            </table>
        </form>
    </body>
</html>

全部用PDO::prepare

完成

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

还有一个备用

PDO::quote

PDO::quote() places quotes around the input string (if required) and escapes special characters within the input string, using a quoting style appropriate to the underlying driver.

了解 XSS 注入Read this Answer too

在清理用户输入的数据时,我经常使用的一件事是使用 strip_tags()... 特别是如果要在某个时候回显内容......你不想使用你的表单轻松注入脚本。 尝试在其中一个文本元素中键入 <script>alert("hello");</scirpt> 并提交...