PHP可以（应该）我array_map filter_var $ _POST [英] PHP can (should) I array_map filter_var to $_POST

问题描述

  
 
  $交= array_map（ filter_data，$ _ POST）; 
  

我已经更新到新版本（PHP 5.2之后） p>

  $ post = array_map（filter_var，$ _ POST，array（516））; // 516 =='unsafe_raw'
  

现在我很偏执，这似乎太容易了。所以

• 我不应该这样做所有 post 数据？ （变幻莫测的眼神）
  
• 通用过滤器 post ，获得或cookie数据？

试图通用的消毒剂，主要是为了消除SQL注入。如果我有一个电子邮件地址或我可以稍后再过滤。任何想法/建议/恐惧凝视？

解决方案

为避免SQL注入，总是使用适当的函数在将数据插入查询字符串之前，为您的数据库添加数据 mysql_real_escape_string 。一个通用的过滤器不是特定于您的数据库不保证任何东西，并可能只会过滤太多。

对于其他任何事情，如电子邮件验证，使用

另外，使用常量 FILTER_UNSAFE_RAW ，而不是它的数字值。 p>

I just stumbled on this neat bit of code to filter $_POST data quickly:

$post=array_map("filter_data",$_POST);

I've updated it to the new version (after PHP 5.2) and I've got

$post=array_map("filter_var",$_POST,array(516));  // 516 == 'unsafe_raw'

Now I'm paranoid; this seems too easy. So

• Should I not do this for all post data? (shifty nervous eyes)
• Is unsafe_raw the correct filter for generic post, get, or cookie data?

I should add I'm just trying for a general sanitizer, mainly to remove SQL injections. If I have an email address or something I can filter again later. Any ideas / suggestions / horrified stares?

解决方案

To avoid SQL injection, always use the appropriate functions for your database just before plugging the value into the query string, e.g. mysql_real_escape_string. A general filter not specific to your database doesn't guarantee anything and will probably only filter too much.

For anything else, like email validation, use the specific filter on the specific variable that holds the email address.

Also, use the constant FILTER_UNSAFE_RAW, not its numeric value.

这篇关于PHP可以（应该）我array_map filter_var $ _POST的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！