PHP 函数来清理所有数据 [英] PHP function to sanitize all data

查看:52
本文介绍了PHP 函数来清理所有数据的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

清理所有可能被 sqlinjected 的数据是一个好主意还是一个愚蠢的主意?我写了一个应该这样做的函数,但我从未见过它完成并且想知道这是否是一个糟糕的主意.我写的函数:

Is it a good, or stupid idea to sanitize all the data that could be sqlinjected? I wrote a function that should do it, but I've never seen it done and was wondering if it was a poor idea. The function I wrote:

function sanitizeData()
{
    $_SERVER['HTTP_USER_AGENT'] = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);
    foreach(array_keys($_COOKIE) as $key)
    {
          $_COOKIE[$key] = mysql_real_escape_string($_COOKIE[$key]);
    }
    foreach(array_keys($_POST) as $key)
    {
          $_POST[$key] = mysql_real_escape_string($_POST[$key]);
    }    
    foreach(array_keys($_GET) as $key)
    {
          $_GET[$key] = mysql_real_escape_string($_GET[$key]);
    }
}

推荐答案

一个坏主意;这基本上是已弃用的 magic_quotes 的另一个版本.大多数数据最终可能不会进入数据库,因此您最终会进行不必要的转义,并且可能会进行双重转义.

A bad idea; this is basically another version of the deprecated magic_quotes. Most of that data probably won't end up going into the database, so you'll end up escaping unnecessarily, and potentially double-escaping.

相反,根据需要使用准备好的语句.查看mysqli_stmt(mysqli的一部分)和PDOStatement(PDO的一部分).

Instead, use prepared statements as needed. Look at mysqli_stmt (part of mysqli) and PDOStatement (part of PDO).

这篇关于PHP 函数来清理所有数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆