转义PHP GET和POST值 [英] Escaping PHP GET and POST values

问题描述

可能重复:
最终的清理/安全功能

Possible Duplicate:
The ultimate clean/secure function

我在另一个线程中被告知，这段代码非常没用:

I was informed in another thread that this bit of code was pretty useless:

function getPost($s) {
        if (array_key_exists($s, $_POST))
            return mysql_real_escape_string(htmlspecialchars($_POST[$s]));
        else return false;
    }


    function getGet($s) {
        if (array_key_exists($s, $_GET))
            return mysql_real_escape_string(htmlspecialchars($_GET[$s]));
        else return false;
    }

请问有人能帮助我理解为什么以及如何使它变得更好吗?也欢迎链接或参考.

Can anybody help understand why and how I can make it better please? Links or references are welcome also.

只想一直改进:)

推荐答案

好吧，这与magic_quotes_gpc不好一样.它是魔术，可以逃避一切，无论您是否想要.相反，请处理转义符的使用位置，您可以毫无问题地进行更改.所以:

Well, it's bad for the same way magic_quotes_gpc is bad. It's magic and will escape everything, whether you want it to or not. Instead, handle the escaping where it's used, and you can change things without any problem. So:

function post($key) {
    if(array_key_exists($key, $_POST)) {
        return $_POST[$key];
    }

    return false;
}

在需要的地方进行转义.否则，事情看起来可能会很奇怪，而逃避这些挑战将使事情变得毫无意义.考虑一下；我在文本框中输入了我的姓氏O'Hara.您想echo取回它，但是您可以使用getPost取回它.这是我回来的东西:

And do your escaping where it's needed. Otherwise, things can look strange, and unescaping them will defeat the point. Consider this; I input my last name, O'Hara, in a textbox. You want to echo it back, but you fetch it using getPost. Here's what I get back:

奥哈拉

您又htmlspecialchars了吗?好吧，然后我得到:

Did you htmlspecialchars it again? Well, then I get:

O \' ara

O\'ara

之类的.这在我身上经常发生，而且非常令人讨厌-请不要这样做.

or something. This happens to me a lot and it's incredibly annoying - please don't do it.

这篇关于转义PHP GET和POST值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！