问题描述

清理所有可能被 sqlinjected 的数据是一个好主意还是一个愚蠢的主意?我写了一个应该这样做的函数，但我从未见过它完成并且想知道这是否是一个糟糕的主意.我写的函数:

Is it a good, or stupid idea to sanitize all the data that could be sqlinjected? I wrote a function that should do it, but I've never seen it done and was wondering if it was a poor idea.The function I wrote:

function sanitizeData()
{
    $_SERVER['HTTP_USER_AGENT'] = mysql_real_escape_string($_SERVER['HTTP_USER_AGENT']);
    foreach(array_keys($_COOKIE) as $key)
    {
          $_COOKIE[$key] = mysql_real_escape_string($_COOKIE[$key]);
    }
    foreach(array_keys($_POST) as $key)
    {
          $_POST[$key] = mysql_real_escape_string($_POST[$key]);
    }
    foreach(array_keys($_GET) as $key)
    {
          $_GET[$key] = mysql_real_escape_string($_GET[$key]);
    }
}

推荐答案

一个坏主意；这基本上是已弃用的 magic_quotes 的另一个版本.大多数数据最终可能不会进入数据库，因此您最终会进行不必要的转义，并且可能会进行双重转义.

A bad idea; this is basically another version of the deprecated magic_quotes. Most of that data probably won't end up going into the database, so you'll end up escaping unnecessarily, and potentially double-escaping.

相反，根据需要使用准备好的语句.查看mysqli_stmt(mysqli的一部分)和PDOStatement(PDO的一部分).

Instead, use prepared statements as needed. Look at mysqli_stmt (part of mysqli) and PDOStatement (part of PDO).

这篇关于PHP 函数来清理所有数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！