php mysql_real_escape_string() 用于整个 $_REQUEST 数组,还是需要遍历它?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4223028/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
mysql_real_escape_string() for entire $_REQUEST array, or need to loop through it?
提问by ajo
Is there an easier way of safely extracting submitted variables other than the following?
除了以下方法之外,是否有更简单的方法可以安全地提取提交的变量?
if(isset($_REQUEST['kkld'])) $kkld=mysql_real_escape_string($_REQUEST['kkld']);
if(isset($_REQUEST['info'])) $info=mysql_real_escape_string($_REQUEST['info']);
if(isset($_REQUEST['freq'])) $freq=mysql_real_escape_string($_REQUEST['freq']);
(And: would you use isset()in this context?)
(而且:你会isset()在这种情况下使用吗?)
回答by deceze
To escape all variables in one go:
一口气转义所有变量:
$escapedGet = array_map('mysql_real_escape_string', $_GET);
To extractall variables into the current namespace (i.e. $foo = $_GET['foo']):
将所有变量提取到当前命名空间(即$foo = $_GET['foo']):
extract($escapedGet);
Please do not do this last step though. There's no need to, just leave the values in an array. Extracting variables can lead to name clashes and overwriting of existing variables, which is not only a hassle and a source of bugs but also a security risk. Also, as @BoltClock says, stick to $_GETor $_POST. Also2, as @zerkms points out, there's no point in mysql_real_escapingvariables that are not supposed to be used in a database query, it may even lead to further problems.
不过请不要做这最后一步。没有必要,只需将值保留在数组中。提取变量会导致名称冲突和覆盖现有变量,这不仅是麻烦和错误的来源,而且是安全风险。另外,正如@BoltClock 所说,坚持使用$_GET或$_POST。另外2,正如@zerkms 指出的那样,mysql_real_escaping不应该在数据库查询中使用的变量没有意义,它甚至可能导致进一步的问题。
Note that really noneof this is a particularly good idea at all, you're just reincarnating magic_quotes and global_vars, which were horrible PHP practices from ages past. Use prepared statements with bound parameters via mysqli or PDO and use values through $_GETor filter_input. See http://www.phptherightway.com.
请注意,实际上这些都不是一个特别好的主意,您只是在转世 magic_quotes 和 global_vars,这些都是过去很糟糕的 PHP 实践。通过 mysqli 或 PDO 使用带有绑定参数的准备好的语句,并通过$_GET或使用值filter_input。请参阅http://www.phptherightway.com。
回答by Starx
You can also use a recursive function like this to accomplish that
您也可以使用这样的递归函数来完成
function sanitate($array) {
foreach($array as $key=>$value) {
if(is_array($value)) { sanitate($value); }
else { $array[$key] = mysql_real_escape_string($value); }
}
return $array;
}
sanitate($_POST);
回答by schier
As far as I'm concerned Starx' and Ryan's answer from Nov 19 '10 is the best solution here as I just needed this, too.
就我而言,Starx 和 Ryan 在 10 年 11 月 19 日的回答是最好的解决方案,因为我也只需要这个。
When you have multiple input fields with one name (e.g. names[]), meaning they will be saved into an array within the $_POST-array, you have to use a recursive function, as mysql_real_escape_string does not work for arrays.
当您有多个具有同一个名称的输入字段(例如,名称 [])时,这意味着它们将被保存到 $_POST 数组中的一个数组中,您必须使用递归函数,因为 mysql_real_escape_string 不适用于数组。
So this is the only solution to escape such a $_POST variable.
所以这是逃避这种 $_POST 变量的唯一解决方案。
function sanitate($array) {
foreach($array as $key=>$value) {
if(is_array($value)) { sanitate($value); }
else { $array[$key] = mysql_real_escape_string($value); }
}
return $array;
}
sanitate($_POST);
回答by vatavale
If you use mysqliextension and you like to escape all GET variables:
如果您使用mysqli扩展并且您想转义所有 GET 变量:
$escaped_get = array_map(array($mysqli, 'real_escape_string'), $_GET);
回答by Gordon
To sanitize or validate any INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV, you can use
要清理或验证任何INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, 或INPUT_ENV,您可以使用
filter_input_array— Gets external variables and optionally filters them
filter_input_array— 获取外部变量并可选择过滤它们
Filtering can be done with a callback, so you could supply mysql_real_escape_string.
过滤可以通过回调完成,因此您可以提供mysql_real_escape_string.
This method does not allow filtering for $_REQUEST, because you should not work with $_REQUESTwhen the data is available in any of the other superglobals. It's potentially insecure.
此方法不允许对 进行过滤$_REQUEST,因为当数据在任何其他超全局变量中可用时,您不应使用$_REQUEST该方法。这可能是不安全的。
The method also requires you to name the input keys, so it's not a generic batch filtering. If you want generic batch filtering, use array_mapor array_walkor array_filteras shown elsewhere on this page.
该方法还要求您命名输入键,因此它不是通用的批处理过滤。如果您想要通用批量过滤,请使用array_map或array_walk,array_filter如本页其他地方所示。
Also, why are you using the old mysql extension instead of the mysqli(i for improved) extension. The mysqli extension will give you support for transactions, multiqueriesand prepared statements(which eliminates the need for escaping) All features that can make your DB code much more reliable and secure.
另外,为什么您使用旧的 mysql 扩展而不是mysqli(i 用于改进)扩展。mysqli 扩展将为您提供对事务、多查询和准备好的语句(无需转义)的支持,所有功能都可以使您的数据库代码更加可靠和安全。
回答by mario
As an alternative, I can advise you to use PHP7 input filters, which provides a shortcut to sql escaping. I'd not recommend it per se, but it spares creating localized variables:
作为替代方案,我建议您使用PHP7 输入过滤器,它提供了 sql 转义的快捷方式。我本身不推荐它,但它不会创建本地化变量:
$_REQUEST->sql['kkld']
Which can be used inline in SQL query strings, and give an extra warning should you forget it:
可以在 SQL 查询字符串中内联使用,如果你忘记了它,会给出一个额外的警告:
mysql_query("SELECT x FROM y WHERE z = '{$_REQUEST->sql['kkld']}'");
It's syntactically questionable, but allows you escaping only those variables that really need it. Or to emulate what you asked for, use $_REQUEST->sql->always();
它在语法上有问题,但只允许您转义那些真正需要它的变量。或者要模仿您的要求,请使用$_REQUEST->sql->always();
