擦除MySQL值和CSVtoArray() [英] Scrubbing MySQL Values and CSVtoArray()
问题描述
我有一个函数将csv字符串传递给mysql以用作值:
<?php
函数fnINSERT($ csvValues){
$ sSQL =" INSERT INTO mytable(
field_a,field_b,field_b,field_c
)VALUES {
$ csvValues);
返回mysql_query($ sSQL);
}
//注意SQL注入攻击第二个参数
$ csvValues =" 1,"''''''''''=''"
$ oResult = fnINSERT($ csvValues) ;
?>
$ csvValues已针对某些业务逻辑进行了清理,但(很明显)
它需要有mysql_real_escape函数也运行在每个
csv值上。
出于架构原因,我不能在函数之前进行擦洗
被调用,但是当涉及到这个csv SLOB时我必须这样做。
我的第一个问题:
我可以运行真实的e整个$ csvValues上的scape函数,
成功擦除每个参数 - 或者我会以这种方式体验不良的
结果吗?
我的第二个问题:
我可以很容易地将数组转换为csv,但是反过来
搞砸了我(因为引用了逗号)。所以,我的架构原因
(对于这个以及其他一些东西)如果有人可以消失
帮助我编写这样的函数:
函数CSVtoArray($ sCSV){
$ aryRetVal = array();
$ aryRetVal = foo($ sCSV);
返回$ aryRetVal;
}
csvValues){
sSQL =" INSERT INTO mytable(
field_a,field_b,field_b,field_c
)VALUES {
csvValues);
返回mysql_query(
I have a function that passes a csv string to mysql to use as values:
<?php
function fnINSERT ($csvValues) {
$sSQL = "INSERT INTO mytable (
field_a, field_b, field_b, field_c
) VALUES {
$csvValues);
return mysql_query($sSQL);
}
//note the SQL Injection attack in the 2nd parameter
$csvValues = "1, "''1'' OR ''''=''"
$oResult = fnINSERT($csvValues);
?>
$csvValues is already scrubbed for some business logic, but (obviously)
it needs to have that mysql_real_escape function run on each of those
csv values, as well.
For architectural reasons, I can''t do the scrubbing before the function
is called, but instead have to do it when it comes to me as this csv SLOB.
My First Question:
Can I run the real escape function on $csvValues as a whole, to
successfully scrub each parameter - or will I experience undesirable
results that way?
My Second Question:
I can convert an array to csv pretty easily, but going the other way
screws me up (because of quoted commas). So, my "architectural reasons"
(for this and some other stuff, too) would evaporate if someone could
help me write a function like this:
function CSVtoArray($sCSV) {
$aryRetVal = array();
$aryRetVal = foo($sCSV);
return $aryRetVal;
}
csvValues) {
sSQL = "INSERT INTO mytable (
field_a, field_b, field_b, field_c
) VALUES {
csvValues);
return mysql_query(
这篇关于擦除MySQL值和CSVtoArray()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
