在哪里包括数据清理。内部或外部对象函数?
我正在做一个 PHP OO 项目,长期以来一直在思考,在哪里放置变量清理。让对象方法无处不在,准备好隆隆作响并进行清理,或者给编码员一些自由和疏忽的空间,让他们自己清理所有数据并使函数成为愚蠢的执行者?
哪一种是首选的 OO 符合方式?
class something
{
public function getCategoryByCID($cid)
{
if (!is_array($cid))
$cid = (array)$cid;
$cid = implode("','", $cid);
$cid = sanitizemeHARD($cid);
$sql = "SELECT * FROM cat WHERE (cat_cid IN ('$cid'))";
return $db->q($sql);
}
}
$c = new something();
$c->getCategoryByCID($_GET['cid']);
OR
$c = new something();
$cid = sanitizemeHARD($_GET['cid']);
$c->getCategoryByCID($cid); //Of course in this case, the func doesn't have sanitization built in
I'm doing a PHP OO project and long been thinking about, where to put variable sanitization. Make the object methods all around, ready to rumble and do the sanitization or give the coder some freedom and space for negligence to sanitize all the data by himself and make the functions dumb executors?
Which one is the preferred OO conform way?
class something
{
public function getCategoryByCID($cid)
{
if (!is_array($cid))
$cid = (array)$cid;
$cid = implode("','", $cid);
$cid = sanitizemeHARD($cid);
$sql = "SELECT * FROM cat WHERE (cat_cid IN ('$cid'))";
return $db->q($sql);
}
}
$c = new something();
$c->getCategoryByCID($_GET['cid']);
OR
$c = new something();
$cid = sanitizemeHARD($_GET['cid']);
$c->getCategoryByCID($cid); //Of course in this case, the func doesn't have sanitization built in
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
这是你为整个项目制定的政策问题。
我更愿意遵循“接收时过滤”规则 - 即在获取外部数据时进行过滤。
这将避免在数据可能通过的每个对象/方法中进行双重清理,并且还可以更轻松地检查整个代码是否正确过滤。
所以,在你的例子中 - 第二种情况。
Its a question of policy that you set for the whole project.
I would prefer following the rule "Filter upon receiving" - i.e. at the point where external data is acquired.
This would avoid double-sanitizing in each object/method the data might pass through, and also makes easier to check the whole code for correct filtering.
So, in your example - the second case.
您需要让编码员负责清理工作,因为编码员知道您不知道期望的值类型。
但在您的示例中,您尝试清理 SQL 语句中的字符串连接。您不应该这样做,而应使用准备好的查询。
You need to let the coder take care of the sanitization because you do not know what type of value is expected, the coder knows.
But with your example, you try to sanitize for string concatenation in SQL statements. You should not do that, use prepared queries instead.
我认为第一种情况(清理函数内部)更好。因为:
if中),因此只有在真正需要时才清理数据,这样可以节省 CPU 时间:)First case (sanitize inside function) is better, I think. Because:
ifs, for example), so you will sanitize data only when it's really necessary, you will save your CPU time :)我会选择内部:
1)您可能需要打开一个数据库连接来清理,也许您在函数内部执行此操作。 (但这取决于你的设计)。
2)过程自动化。您无需每次消毒时都手动进行护理。唯一一次忘记消毒,可能会造成大问题。
I would go with inside:
1)You may need to open a Db connection to sanitize, and maybe you do that inside your function. (But it depends on your design).
2) The process is automatized. You don't need to take care manually every time of sanitization. The only time you forget to sanitize, could be a big problem.