在 php 中清理整个 $_POST 数组的好方法是什么? [英] what is a good method to sanitize the whole $_POST array in php?
问题描述
我有一个包含很多变量的表单,然后发送电子邮件,而不是使用 filter_var($_POST['var'], FILTER_SANITIZE_STRING) 清理每个 我想要一段更简单的代码.我想出了以下内容,这似乎有效,因为我相信默认操作是 $_POST 值;FILTER_SANITIZE_STRING,但我只是想知道人们的意见是什么,如果这不是一个好的做法,也许你可以告诉我为什么?$_POST 值然后被单独嵌入到新变量中,所以我只会在开始时使用 array_map 来清理所有内容......
I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST value with filter_var($_POST['var'], FILTER_SANITIZE_STRING); I was after a more simple piece of code. I came up with the below, which seems to work as I believe the default action is FILTER_SANITIZE_STRING, but I was just wondering what peoples opinions are, and if this is not good practice, perhaps you could tell me why? The $_POST values are then individually embedded into new variables, so I would only be using array_map just at the start to sanitize everything...
$_POST = array_map('filter_var', $_POST);
谢谢你的回复,给你多一点信息,基本上:
Thank you for your replies, to give you a little more information, basically:
我在一个被捕获的表单中有 20-30 个输入字段,然后将数据显示给用户以检查他们的输入,然后对变量进行消毒,然后向用户发送电子邮件然后最后将详细信息输入到数据库中.
I have 20-30 input fields in a form which are being captured, the data is then displayed to the user to check their input, variables are then sanitized, the user is then sent an email and then finally the details are entered into a db.
目前我正在使用上面的 array_map 函数以及 FILTER_SANITIZE_EMAIL 在发送电子邮件之前对电子邮件地址进行清理,然后在插入数据库之前使用 mysql_real_escape_string() 转义输入.没有进入准备好的陈述等......你认为我应该做些什么吗?再次感谢!
currently I am sanitizing using the above array_map function, as well as FILTER_SANITIZE_EMAIL on the email address before sending an email and then escaping the input using mysql_real_escape_string() before the insert into the db. Without getting into prepared statements etc.. do you think I should be doing anything additionally? thanks again!
推荐答案
如果你的每个输入变量的类型都是一个字符串并且你想一次清理它们,你可以使用:
If the type of each of your input variables is a string and you want to sanitize them all at once, you can use:
// prevent XSS
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
这将清理您的 $_GET 和 $_POST 数组.
This will sanitize your $_GET and $_POST arrays.
在这里看到:PHP -清理数组的值
这篇关于在 php 中清理整个 $_POST 数组的好方法是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
