问题描述
我想知道是否可以将my_sql_escape字符串仅包含整个$ _POST和$ _GET数组,这样您就不会错过任何变量了吗?
I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?
不知道如何测试它,否则我会做我自己.谢谢!
Not sure how to test it or I would've myself. Thanks!
推荐答案
我会使用array_walk()
函数.它更适合,因为它修改了POST超全局变量,因此可以清除将来的任何使用情况.
I would use the array_walk()
function. It's better suited because modifies the POST superglobal so any future uses are sanitized.
array_walk_recursive( $_POST, 'mysql_real_escape_string' );
但是,请确保您不依赖此行来完全保护数据库免受攻击.最好的保护是限制某些字段的字符集.前任.电子邮件中没有引号(因此仅允许使用字母,数字,@,破折号等),名称中也没有括号(因此仅允许使用字母和所选的特殊字符)
However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)
编辑:感谢@Johan的建议,将array_walk()
更改为array_walk_recursive()
.给他做道具.
Changed array_walk()
to array_walk_recursive()
thanks to @Johan's suggestion. Props to him.
这篇关于mysql_escape_string整个帖子数组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!