使用php filter_var和mysql_real_escape_string [英] Using php filter_var with mysql_real_escape_string
问题描述
我想开始说我的问题,我认识到PDO/mysqli是新标准,并且已在SO上广泛涉及.但是在这种特殊情况下,我没有时间在启动客户端站点之前将所有查询都转换为PDO.
I would like to start my question by saying, I realize PDO/mysqli is the new standard and has been widely covered on SO. However in this particular case I dont have time to convert all queries to PDO before launching the clients site.
以下内容在网站上的大多数查询中都已使用(我不能补充)
The following has been used throughout most of the queries on the site (not by me may I add)
$userEmail = filter_var($_POST['fEmail'], FILTER_SANITIZE_EMAIL);
$userEmail = mysql_real_escape_string($userEmail);
$sql ="SELECT email FROM members WHERE email = '$userEmail'";
:
:
我想知道:
像上面的示例一样,同时使用filter_var和mysql_real_escape_string是好的/可以的做法吗?我主要关心的是,这两个功能可以一起使用还是在执行/上传到数据库时引起某种冲突/错误?
Is it good / okay practise to use filter_var and mysql_real_escape_string together as in the example above? My main concern is, can these two functions be used together or cause some sort of conflict / bug when executing / uploading to DB?
同时使用两者还有什么好处?
Also is there any sort of benefit in using both?
预先感谢
推荐答案
消毒字符串用于使其符合某些期望. FILTER_SANITIZE_EMAIL从字符串中删除在电子邮件中无效的任何字符.结果(据称)保证符合电子邮件地址语法.我将取决于您,从字符串中随机删除字符有多有用. (提示:我根本不认为这很有用;您应该拒绝无效地址,而不是将其转换为随机结果.我给您一个无效的电子邮件地址,将其锤打成类似于电子邮件地址的形状,现在您知道您可以给我发送电子邮件吗...?!)
Sanitising a string serves to make it conform to certain expectations. FILTER_SANITIZE_EMAIL removes any characters from a string which would be invalid in an email. The result is (supposedly) guaranteed to conform to email address syntax. How useful randomly removing characters from a string is I'll leave up to you. (Hint: I don't think it's very useful at all; you should rather reject invalid addresses than to transform them into random results. I give you an invalid email address, you hammer it into some shape that resembles an email address, now how do you know you'll be able to send me an email...?!)
mysql_real_escape_string可以通过转义所有可转义字符来确保任意字符串不违反SQL的字符串文字语法.假设您正确使用了它(mysql有很多陷阱,这就是为什么不建议使用它的原因...),那么您对它的输入将无能为力,这会使它失败.您给它任意字符串,它将返回转义的版本,句点.
mysql_real_escape_string is there to ensure that an arbitrary string does not violate SQL's string literal syntax by escaping all escape-worthy characters. Assuming you're using it correctly (lots of pitfalls mysql has, which is why it's deprecated...), there's nothing you can do to its input that would make it fail. You give it any arbitrary string, it returns you the escaped version, period.
因此,总的来说,是的,您正在做的事很好.如果mysql_real_escape_string是 last 的处理对象,然后再将其插值到SQL字符串文字中,那么就可以了.
As such, in general, yes, what you're doing is fine. If mysql_real_escape_string is the last thing you do to your string before interpolating it into an SQL string literal, then it's fine.
这篇关于使用php filter_var和mysql_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
