我需要在所有表单输入上使用 mysql_real_escape_string 吗? [英] Do I need to use mysql_real_escape_string on all form inputs?

问题描述

我知道我需要在用户输入字段(例如用户名输入字段)上使用它们，但是对于性别选项等单选按钮呢?

I know I need to use them on user input fields such as a username entry field, but what about for radio buttons such as a gender option?

推荐答案

停止！

您似乎将转义与数据验证和数据清理混淆了.

您需要验证传入的任何数据.是的，这意味着确保单选按钮包含合法值.

You need to validate any data that comes in. Yes, this means making sure that radio buttons contain legal values.

您需要清理任何传入的数据.该文本字段是否应包含 HTML?不?strip_tags.该字段应该是数字吗?将其转换为整数.

You need to sanitize any data that comes in. Should that text field contain HTML? No? strip_tags. Should that field be a number? Cast it as an integer.

您需要转义您放在数据库中的任何数据.如果您仍在使用史前的mysql"扩展，这意味着在构建查询时对所有内容使用 mysql_real_escape_string —— 而不是之前.

You need to escape any data that you place in the database. If you're still using the prehistoric "mysql" extension, this means using mysql_real_escape_string on everything as you build your query -- not before.

您需要转义任何您回显给用户的数据.htmlspecialchars 是你的朋友.

You need to escape any data you echo to the user. htmlspecialchars is your friend.

我之前已经详细解释过，虽然这不是一个重复的问题.

I've previously explained this in more detail, though this is not a duplicate question.

这篇关于我需要在所有表单输入上使用 mysql_real_escape_string 吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！