问题描述
清理所有可能被 sqlinjected 的数据是一个好主意还是一个愚蠢的主意?我写了一个应该这样做的函数,但我从未见过它完成并且想知道这是否是一个糟糕的主意.我写的函数:
Is it a good, or stupid idea to sanitize all the data that could be sqlinjected? I wrote a function that should do it, but I've never seen it done and was wondering if it was a poor idea.The function I wrote:
function sanitizeData()
{
$_SERVER['HTTP_USER_AGENT'] = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);
foreach(array_keys($_COOKIE) as $key)
{
$_COOKIE[$key] = mysql_real_escape_string($_COOKIE[$key]);
}
foreach(array_keys($_POST) as $key)
{
$_POST[$key] = mysql_real_escape_string($_POST[$key]);
}
foreach(array_keys($_GET) as $key)
{
$_GET[$key] = mysql_real_escape_string($_GET[$key]);
}
}
推荐答案
一个坏主意;这基本上是已弃用的 magic_quotes 的另一个版本.大多数数据最终可能不会进入数据库,因此您最终会进行不必要的转义,并且可能会进行双重转义.
A bad idea; this is basically another version of the deprecated magic_quotes. Most of that data probably won't end up going into the database, so you'll end up escaping unnecessarily, and potentially double-escaping.
相反,根据需要使用准备好的语句.查看mysqli_stmt
(mysqli的一部分)和PDOStatement
(PDO的一部分).
Instead, use prepared statements as needed. Look at mysqli_stmt
(part of mysqli) and PDOStatement
(part of PDO).
这篇关于PHP 函数来清理所有数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!