什么是消毒在PHP整个$ _POST阵列的好方法? [英] what is a good method to sanitize the whole $_POST array in php?
问题描述
我有一个很大的变数形式,然后发送电子邮件,而不是消毒与 filter_var($ _ POST每个我是一种更简单的一块code之后。我想出了下面的,这似乎是工作,我相信默认操作为 $ _ POST 价值['变种'],FILTER_SANITIZE_STRING); FILTER_SANITIZE_STRING ,但我只是想知道什么人民的意见是,如果这是不好的做法,也许你能告诉我为什么吗?在 $ _ POST 值,然后分别嵌入到新的变量,所以我只会使用array_map只是在开始清理一切......
I have a form with a lot of variables which is then sending an email, rather than sanitizing each $_POST value with filter_var($_POST['var'], FILTER_SANITIZE_STRING); I was after a more simple piece of code. I came up with the below, which seems to work as I believe the default action is FILTER_SANITIZE_STRING, but I was just wondering what peoples opinions are, and if this is not good practice, perhaps you could tell me why? The $_POST values are then individually embedded into new variables, so I would only be using array_map just at the start to sanitize everything...
$_POST = array_map('filter_var', $_POST);
感谢您的答复,给你多一点信息,基本上是:
Thank you for your replies, to give you a little more information, basically:
我有这些被抓获的形式20-30输入字段,
然后将数据显示给用户,以检查其输入,
然后变量消毒,
则向用户发送的电子邮件
然后最后细节都进入了一个分贝。
I have 20-30 input fields in a form which are being captured, the data is then displayed to the user to check their input, variables are then sanitized, the user is then sent an email and then finally the details are entered into a db.
目前我使用上述array_map功能的消毒,以及对FILTER_SANITIZE_EMAIL的电子邮件地址发送邮件,然后逃逸插入到数据库之前,使用输入mysql_real_escape_string()之前。没有进入prepared报表等。你觉得我应该还做什么?再次感谢!
currently I am sanitizing using the above array_map function, as well as FILTER_SANITIZE_EMAIL on the email address before sending an email and then escaping the input using mysql_real_escape_string() before the insert into the db. Without getting into prepared statements etc.. do you think I should be doing anything additionally? thanks again!
推荐答案
如果您的每一个输入变量的类型是一个字符串,你想立刻清理所有这些,你可以使用:
If the type of each of your input variables is a string and you want to sanitize them all at once, you can use:
// prevent XSS
$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
这将净化你的$ _GET和$ _POST数组。
This will sanitize your $_GET and $_POST arrays.
在这里看到:一个阵列 PHP -Sanitize值>
Seen here: PHP -Sanitize values of a array
这篇关于什么是消毒在PHP整个$ _POST阵列的好方法?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
