将array_walk与mysqli_real_escape_string一起使用是不好的做法吗? [英] Is is bad practice to use array_walk with mysqli_real_escape_string?

问题描述

因此，我有一个名为转义"的函数，如下所示:

So I have a function called "escape" that looks like this:

function escape($string){
    $escaped_string = mysqli_real_escape_string($this->conn, $string);
    return $escaped_string;
}

在运行查询之前，我在此处发送了一个变量(显然来自用户输入)，因此出于安全原因将其转义.

I before running a query I send a variable (originated from user input obviously) here so its escaped for security reasons.

现在，我知道可以使用array_walk将值的数组应用于此函数，但是我只是想知道是否有任何原因使我不应该这样做?我知道这听起来像一个愚蠢的问题，但是将其应用于用户输入的值而不是每个变量的数组将很容易.

Now I know its possible to use array_walk to apply an array of values to this function, but I just want to know if there is any reason why I shouldn't? I know it sounds like a daft question but it would be nice and easy to apply it to an array of user inputted values rather than each variable.

通常，如果在创建函数时我会这样做:

Normally if when making a function I will do it this way:

function whatever($user_input){
    $user_input = $this->escape($user_input);
    $this->query("SELECT dog from pets where owner = '$user_input'");
     e.c.t. 
}

但是，如果我有很多用户从表单(例如id)中输入数据，则只需将一个数组传递给该函数，然后在转义函数上使用array_walk即可避免麻烦.但是从安全角度来看，又有什么特殊的原因为什么这不是一个好主意?

But if I have a lot of user inputted data from a form for example id rather just pass an array into the function and use array_walk on the escape function to save myself the hassle. But again is there any particular reason (from a security point of view) why this is not a good idea?

推荐答案

是的，绝对

这种做法是臭名昭著的"魔术引号的转世. "功能，该功能曾经是该语言的一部分，但是现在谢天谢地，它不再是该语言的一部分.

YES, absolutely

The practice is the reincarnation of the infamous "magic quotes" feature, that once was a part of the language, but now thank goodness it is not.

这种方法对您没有好处，只会给您一种虚假的安全感，并且无缘无故地破坏您的数据.

Such an approach will do you no good but only a give a false feeling of security and spoil your data for no reason.

对于涉及PHP变量的所有数据库交互，必须使用准备好的语句.这是唯一100％安全的解决方案，这使相关功能过时了.

You must use prepared statements for all database interactions that involve PHP variables. This is the only 100% safe solution, and it makes the function in question obsolete.

在这里，我有一个使用准备好的语句的select查询示例， https://phpdelusions.net/mysqli_examples/prepared_select

Here I've got an example for the select query using prepared statements, https://phpdelusions.net/mysqli_examples/prepared_select

通过简单的帮助器功能，它比逃避驱动的混乱变成了更简单，更干净的解决方案

With a simple helper function it turns into much simpler and cleaner solution than that escaping-driven mess

这篇关于将array_walk与mysqli_real_escape_string一起使用是不好的做法吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！