这是清理php $ _POST输入的好方法吗? [英] Is this a good way to sanatize php $_POST inputs?
问题描述
我在我的网站上使用此代码已有很长时间了,只想确保我正确清理了我的PHP $_POST输入信息...
I have been using this code on my website for a long time, and just want to make sure I am correctly sanatizing my PHP $_POST inputs...
foreach($_POST as $key=>$val) //this code will sanitize your inputs.
$_POST[$key] = mysqli_real_escape_string($connection, $val);
例如,我有要添加到数据库中的POST值$_POST['comment'],这是在进入数据库之前对其进行清理的好方法吗?
Say for example I had the POST value $_POST['comment'] that I wanted to add to a database, would this be a good and safe way to sanatize it before database entry?
foreach($_POST as $key=>$val) //this code will sanitize your inputs.
$_POST[$key] = mysqli_real_escape_string($connection, $val);
//is this safe? or is there another step?
$comment = $_POST['comment'];
if($comment != ""){
//add $comment to database
}
在将$comment添加到MYSQL数据库之前,我还需要做些什么吗?还是前两行本身就是魔术?请告诉我这是否是一种安全的方法,或者还有更好的方法!谢谢!
Is there something that I still need to do before adding $comment to the MYSQL database? Or do those top two lines do the magic by themselves? Please let me know if this is a good safe way to do it, or if there is an even better way! Thanks!
推荐答案
I already tried your way. It seems there's no magic function. However, from classic MySQL injections, you can be safe, when adding mysqli_real_escape_string to each posted value, then use it as a string (quoted) in the db, but it's considered bad practice, also is not the most secure way
由于MySQLi提出了参数化查询,因此您应该熟悉它们,并将与数据库驱动程序相对应的真实查询留给库.
Since MySQLi presents parametised queries, you should get familiar with them, and leave the real corresponding to the database driver, to the library.
这篇关于这是清理php $ _POST输入的好方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
