转义用户数据,没有魔术报价 [英] Escaping user data, without magic quotes
问题描述
我正在看一下如何正确地将来自外部世界的数据转义为应用程序控制,存储,逻辑等。
I'm taking a look at how to properly escape data that comes from the outside world before it gets used either for application control, storage, logic.. that kind of thing.
很明显,随着php 5.3.0+中的魔术引用指令被不推荐使用,并在php6中删除,对于任何希望升级并进入新语言功能的用户来说,这一点变得更为迫切,同时保留了旧版代码不,我们爱它..)
Obviously, with the magic quotes directive being deprecated shortly in php 5.3.0+, and removed in php6, this becomes more pressing, for anyone looking to upgrade and get into the new language features, while maintaining legacy code (don't we love it..).
然而,我没有看到的一件事是关于理论/最佳实践的很多讨论,一旦你有保护您的数据 - 例如,存储是否存在斜杠?我个人认为,保存DB中的数据是一个不好的举动,但希望听到讨论,并阅读一些案例研究。...
However, one thing that I haven't seen is much discussion about theory/best practice with what to do once you have protected your data - for example, to store with or without slashes? I personally think keeping escaped data in the DB is a bad move, but want to hear discussion and read some case studies preferably..
参考:
PHP手册 - mysql_real_escape_string
等等。
任何提示?
推荐答案
看看准备好的声明。我知道在mysql这是非常好的工作,是一种安全的形式,获取数据到您的数据库。它也有一些性能优势。
Take a look at prepared statements. I know in mysql this works very well and is a secure form of getting data in to your databse. It has a few performance benefits too.
http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html
如果你有兴趣,我还有更多的资源。
I have some more resources if you are interested.
希望这是你正在寻找的,tc。
Hope this is what you are looking for, tc.
编辑:
我可以添加的一件事是使用过滤器和准备好的语句。例如,检查该值是否为使用FILTER_SANITIZE_STRING的邮件,或者使用FILTER_SANITIZE_EMAIL的电子邮件。
One thing i can add is using filters in combination with prepared statements. For example to check if the value is a sting you use FILTER_SANITIZE_STRING, or for the email you use FILTER_SANITIZE_EMAIL.
这样可以节省一些数量的代码并且工作得很好。您可以随时使用自己的方法检查数据,但可以使用很多过滤器。
This saves some amount of code and works very well. You can always check the data using your own methods afterwards, but there are a lot of filters you can use.
这篇关于转义用户数据,没有魔术报价的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
