php 清理 $_POST 变量
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1610582/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
cleaning $_POST variables
提问by tscully
I'm trying to come up with a way to effectively easily clean all POST and GET variables with a single function. Here's the function itself:
我试图想出一种方法来有效地使用单个函数轻松清除所有 POST 和 GET 变量。这是函数本身:
//clean the user's input
function cleanInput($value, $link = '')
{
//if the variable is an array, recurse into it
if(is_array($value))
{
//for each element in the array...
foreach($value as $key => $val)
{
//...clean the content of each variable in the array
$value[$key] = cleanInput($val);
}
//return clean array
return $value;
}
else
{
return mysql_real_escape_string(strip_tags(trim($value)), $link);
}
}
And here's the code that would call it:
这是调用它的代码:
//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value)
{
$_POST[$key] = cleanInput($value, $link);
}
//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value)
{
$_GET[$key] = cleanInput($value, $link);
}
To me this seems like it should work. But for some reason it won't return arrays from some checkboxes I have in a form. They keep coming out blank.
对我来说,这似乎应该有效。但由于某种原因,它不会从我在表单中的某些复选框中返回数组。他们不断地出现空白。
I've tested my code without the above function and it works fine, I just want that added bit of security in there.
我已经在没有上述功能的情况下测试了我的代码并且它工作正常,我只是希望在那里增加一点安全性。
Thanks!
谢谢!
回答by Andrew
Use filter_inputif possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.
如果可能,请使用filter_input(php5 +) 它使它更干净,据我所知,您可以清理和验证使用它可能需要的所有内容。
You can use filter var arrayand for example FILTER_SANITIZE_STRINGflag to filter the whole post array
您可以使用过滤器 var 数组和例如FILTER_SANITIZE_STRING标志来过滤整个帖子数组
filter_var_array($_POST, FILTER_SANITIZE_STRING) //just an example filter
There are loads of different filter options available on the w3schools filter reference
w3schools过滤器参考中提供了大量不同的过滤器选项
回答by robjmills
to make the recursion more elegant you could use something like array_mapfor example:
为了使递归更优雅,您可以使用类似array_map 的东西,例如:
$_POST = array_map('mysql_real_escape_string',$_POST);
Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)
如果可以,请使用过滤器 var,因为这些方法通常很糟糕,不过只是一个例子;)
回答by Ben James
This is the wrong way to go about cleaning input.
这是清理输入的错误方法。
Applying blanket mysql escaping to absolutely everything in $_POSTand $_GETis going to come back and bite you, if you still want to use the data after you've made a database query but you don't want the escape characters in there.
如果您在进行数据库查询后仍想使用数据但不希望在其中使用转义字符,则将全面的 mysql 转义应用于绝对所有内容$_POST并且$_GET会回来咬您。
Use parameterised queries with mysqli or PDO and you will never need to use mysql_real_escape_string().
将参数化查询与 mysqli 或 PDO 一起使用,您将永远不需要使用mysql_real_escape_string().
回答by w35l3y
unchecked checkboxes are not sent to the server.
未选中的复选框不会发送到服务器。
you may use array_walk_recursiveto do what you want
你可以使用array_walk_recursive来做你想做的事
