I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?
我想知道是否有可能只是my_sql_escape字符串整个$ _POST和$ _GET数组,所以你不会错过任何变量?
Not sure how to test it or I would've myself. Thanks!
不知道如何测试它或我会自己。谢谢!
4 个解决方案
#1
11
I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.
我会使用array_walk()函数。它更适合因为修改POST超全局,因此将来的任何使用都会被清理。
array_walk_recursive( $_POST, 'mysql_real_escape_string' );
However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)
但是,请确保您不依赖此行来完全保护您的数据库免受攻击。最好的保护是限制某些字段的字符集。防爆。电子邮件中没有引号(因此只允许使用字母,数字,@,破折号等),并且名称中没有括号(因此只允许使用字母和选定的特殊字符)
EDIT: Changed array_walk() to array_walk_recursive() thanks to @Johan's suggestion. Props to him.
编辑:感谢@ Johan的建议,将array_walk()更改为array_walk_recursive()。道具给他。
#2
5
$escaped_POST = array_map('mysql_real_escape_string', $_POST);
Though, I would recommend using MySQLi instead.
不过,我建议改用MySQLi。
#3
2
you can use
您可以使用
foreach(array_keys($_POST) as $key)
{
$clean[$key] = mysql_real_escape_string($_POST[$key]);
}
and after this to access post data use echo $clean['name'];
并在此之后访问post数据使用echo $ clean ['name'];
#4
1
Try This
尝试这个
foreach(array_keys($_GET) as $key){ $_GET[$key] = mysql_real_escape_string($_GET[$key]);}
foreach(array_keys($_POST) as $key){ $_POST[$key] = mysql_real_escape_string($_POST[$key]);}
To mysql_real_escape_string Whole
到mysql_real_escape_string整个
#1
11
I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.
我会使用array_walk()函数。它更适合因为修改POST超全局,因此将来的任何使用都会被清理。
array_walk_recursive( $_POST, 'mysql_real_escape_string' );
However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)
但是,请确保您不依赖此行来完全保护您的数据库免受攻击。最好的保护是限制某些字段的字符集。防爆。电子邮件中没有引号(因此只允许使用字母,数字,@,破折号等),并且名称中没有括号(因此只允许使用字母和选定的特殊字符)
EDIT: Changed array_walk() to array_walk_recursive() thanks to @Johan's suggestion. Props to him.
编辑:感谢@ Johan的建议,将array_walk()更改为array_walk_recursive()。道具给他。
#2
5
$escaped_POST = array_map('mysql_real_escape_string', $_POST);
Though, I would recommend using MySQLi instead.
不过,我建议改用MySQLi。
#3
2
you can use
您可以使用
foreach(array_keys($_POST) as $key)
{
$clean[$key] = mysql_real_escape_string($_POST[$key]);
}
and after this to access post data use echo $clean['name'];
并在此之后访问post数据使用echo $ clean ['name'];
#4
1
Try This
尝试这个
foreach(array_keys($_GET) as $key){ $_GET[$key] = mysql_real_escape_string($_GET[$key]);}
foreach(array_keys($_POST) as $key){ $_POST[$key] = mysql_real_escape_string($_POST[$key]);}
To mysql_real_escape_string Whole
到mysql_real_escape_string整个