mysql_escape_string 整个帖子数组?
我想知道是否可以将 my_sql_escape 字符串存储到整个 $_POST 和 $_GET 数组中,这样就不会错过任何变量?
不知道如何测试它,否则我自己会测试。谢谢!
I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?
Not sure how to test it or I would've myself. Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我会使用 array_walk() 函数。它更适合,因为修改了 POST 超全局,因此任何未来的使用都会被清理。
但是,请确保您不依赖此行来完全保护您的数据库免受攻击。最好的保护是限制某些字段的字符集。前任。电子邮件中不包含引号(因此仅允许使用字母、数字、@、破折号等),并且名称中不包含括号(因此仅允许使用字母和选定的特殊字符)
编辑: 感谢 @Johan 的建议,将
array_walk()更改为array_walk_recursive()。支持他。I would use the
array_walk()function. It's better suited because modifies the POST superglobal so any future uses are sanitized.However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)
EDIT: Changed
array_walk()toarray_walk_recursive()thanks to @Johan's suggestion. Props to him.不过,我建议使用 MySQLi 代替。
Though, I would recommend using MySQLi instead.
您可以使用
和 在此之后使用
echo $clean['name']; 访问发布数据you can use
and after this to access post data use
echo $clean['name'];尝试
整个 mysql_real_escape_string
Try This
To mysql_real_escape_string Whole