将array_walk与mysqli_real_escape_string一起使用是不好的做法吗? [英] Is is bad practice to use array_walk with mysqli_real_escape_string?
问题描述
因此,我有一个名为转义"的函数,如下所示:
So I have a function called "escape" that looks like this:
function escape($string){
$escaped_string = mysqli_real_escape_string($this->conn, $string);
return $escaped_string;
}
在运行查询之前,我在此处发送了一个变量(显然来自用户输入),因此出于安全原因将其转义.
I before running a query I send a variable (originated from user input obviously) here so its escaped for security reasons.
现在,我知道可以使用array_walk将值的数组应用于此函数,但是我只是想知道是否有任何原因使我不应该这样做?我知道这听起来像一个愚蠢的问题,但是将其应用于用户输入的值而不是每个变量的数组将很容易.
Now I know its possible to use array_walk to apply an array of values to this function, but I just want to know if there is any reason why I shouldn't? I know it sounds like a daft question but it would be nice and easy to apply it to an array of user inputted values rather than each variable.
通常,如果在创建函数时我会这样做:
Normally if when making a function I will do it this way:
function whatever($user_input){
$user_input = $this->escape($user_input);
$this->query("SELECT dog from pets where owner = '$user_input'");
e.c.t.
}
但是,如果我有很多用户从表单(例如id)中输入数据,则只需将一个数组传递给该函数,然后在转义函数上使用array_walk即可避免麻烦.但是从安全角度来看,又有什么特殊的原因为什么这不是一个好主意?
But if I have a lot of user inputted data from a form for example id rather just pass an array into the function and use array_walk on the escape function to save myself the hassle. But again is there any particular reason (from a security point of view) why this is not a good idea?
推荐答案
是的,绝对
这种做法是臭名昭著的"魔术引号的转世. "功能,该功能曾经是该语言的一部分,但是现在谢天谢地,它不再是该语言的一部分.
YES, absolutely
The practice is the reincarnation of the infamous "magic quotes" feature, that once was a part of the language, but now thank goodness it is not.
这种方法对您没有好处,只会给您一种虚假的安全感,并且无缘无故地破坏您的数据.
Such an approach will do you no good but only a give a false feeling of security and spoil your data for no reason.
对于涉及PHP变量的所有数据库交互,必须使用准备好的语句.这是唯一100%安全的解决方案,这使相关功能过时了.
You must use prepared statements for all database interactions that involve PHP variables. This is the only 100% safe solution, and it makes the function in question obsolete.
在这里,我有一个使用准备好的语句的select查询示例, https://phpdelusions.net/mysqli_examples/prepared_select
Here I've got an example for the select query using prepared statements, https://phpdelusions.net/mysqli_examples/prepared_select
通过简单的帮助器功能,它比逃避驱动的混乱变成了更简单,更干净的解决方案
With a simple helper function it turns into much simpler and cleaner solution than that escaping-driven mess
这篇关于将array_walk与mysqli_real_escape_string一起使用是不好的做法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!