这段代码真的可以对抗 SQL 注入吗? [英] Will this code actually work against SQL-injection?

问题描述

<块引用>

可能的重复:

Possible Duplicate:
PHP: the ultimate clean/secure function

I found this code snippet here: http://snipplr.com/view/12853/clean-variables-from-sql-injections/

The author claims:

This little function helps to fight common security issue with SQL injections, it can sanitize any global variable like $POST, $GET, $_SERVER etc and escape unsafe characters.

Is this code safe?

function _clean($str){
  return is_array($str) ? array_map('_clean', $str) : str_replace("\\", "\\\\"
       , htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str)
       , ENT_QUOTES));
}

//usage call it somewhere in beginning of your script
_clean($_POST);
_clean($_GET);
_clean($_REQUEST);// and so on..

Please enlighten me whether this is safe, 'cause it looks jury-rigged to me.

解决方案

Generic code cleaning functions are always a bad idea. They will break your data in one way or the other. Never use them; sanitize data right before it gets used, with the right sanitation method for the intended use.

Duplicate: PHP: the ultimate clean/secure function

这篇关于这段代码真的可以对抗 SQL 注入吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！