Php 转义多个字符串的良好实践
当同时转义来自POST或GET的多个字符串时,这是一种好的做法吗 还有什么我应该考虑或做的不同吗?我现在有PDO,但在这段代码中我不想使用它Php 转义多个字符串的良好实践,php,mysql,string,escaping,Php,Mysql,String,Escaping,当同时转义来自POST或GET的多个字符串时,这是一种好的做法吗 还有什么我应该考虑或做的不同吗?我现在有PDO,但在这段代码中我不想使用它 class Bo extends Db { function clean($cThis) { $res = array(); foreach (array_keys($cThis) as $key) { $res[$key] = mysql_real_escape_string(add
class Bo extends Db
{
function clean($cThis)
{
$res = array();
foreach (array_keys($cThis) as $key) {
$res[$key] = mysql_real_escape_string(addslashes($cThis[$key]));
}
return $res;
}
function add($info)
{
$this->dbConnect();
$cInfo = $this->clean($info);
mysql_query("INSERT INTO table (b, c) VALUES ('".$cInfo['b']."', '".$cInfo['c']."')");
$this->dbDisconnect();
}
}
$db = DB::connect($dsn);
$sth = $db->prepare("INSERT INTO table (b, c) VALUES (?, ?)");
$res = $sth->execute(array($info['b'], $info['c']));
$db->disconnect()
gpc\u magic\u quotes$db = DB::connect($dsn);
$sth = $db->prepare("INSERT INTO table (b, c) VALUES (?, ?)");
$res = $sth->execute(array($info['b'], $info['c']));
$db->disconnect()
哦,还要确保
gpc\u magic\u quotespg_query_params$this->dbconnmysqli\u initmysqlmysqli/**
* Returns the single value of the array mysqli_query_params__parameters
*
* @param $at the position of the parameter inside the array mysqli_query_params__parameters
* @return mixed
*/
public function mysqli_query_params__callback( $at )
{
return $this->mysqli_query_params__parameters[ $at[1]-1 ];
}
/**
* Parameterised query implementation for MySQL (similar PostgreSQL's PHP function pg_query_params)
* Example: mysqli_query_params( "SELECT * FROM my_table WHERE col1=$1 AND col2=$2", array( 42, "It's ok" ), $dbconn );
*
* @param $query, $parameters, $datadase
* @return mixed(resorce, false)
* @access public
*/
public function mysqli_query_params( $query, $parameters=array(), $database=false )
{
if( !is_array($parameters) ){
return false;
} else {
if($this->is_assoc($parameters)){
$parameters = array_values($parameters);
}
}
// Escape parameters as required & build parameters for callback function
foreach( $parameters as $k=>$v )
{
$parameters[$k] = ( is_int( $v ) ? $v : ( NULL===$v ? 'NULL' : "'".mysqli_real_escape_string( $this->dbconn, $v )."'" ) );
}
$this->mysqli_query_params__parameters = $parameters;
// Call using mysqli_query
if( false === $database )
{
$query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
$result = mysqli_query( $this->dbconn, $query );
if( false === $result )
{
$err_msg = mysqli_error($this->dbconn);
return false;
} else {
return $result;
}
}
else
{
$query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
$result = mysqli_query( $this->dbconn, $query, $database );
if( false === $result )
{
$err_msg = mysqli_error($this->dbconn);
return false;
} else {
return $result;
}
}
return false;
}
PDO将是最好的选择,但万一你没有它。有一些方法模仿mysql的
pg_query_params$this->dbconnmysqli\u initmysqlmysqli/**
* Returns the single value of the array mysqli_query_params__parameters
*
* @param $at the position of the parameter inside the array mysqli_query_params__parameters
* @return mixed
*/
public function mysqli_query_params__callback( $at )
{
return $this->mysqli_query_params__parameters[ $at[1]-1 ];
}
/**
* Parameterised query implementation for MySQL (similar PostgreSQL's PHP function pg_query_params)
* Example: mysqli_query_params( "SELECT * FROM my_table WHERE col1=$1 AND col2=$2", array( 42, "It's ok" ), $dbconn );
*
* @param $query, $parameters, $datadase
* @return mixed(resorce, false)
* @access public
*/
public function mysqli_query_params( $query, $parameters=array(), $database=false )
{
if( !is_array($parameters) ){
return false;
} else {
if($this->is_assoc($parameters)){
$parameters = array_values($parameters);
}
}
// Escape parameters as required & build parameters for callback function
foreach( $parameters as $k=>$v )
{
$parameters[$k] = ( is_int( $v ) ? $v : ( NULL===$v ? 'NULL' : "'".mysqli_real_escape_string( $this->dbconn, $v )."'" ) );
}
$this->mysqli_query_params__parameters = $parameters;
// Call using mysqli_query
if( false === $database )
{
$query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
$result = mysqli_query( $this->dbconn, $query );
if( false === $result )
{
$err_msg = mysqli_error($this->dbconn);
return false;
} else {
return $result;
}
}
else
{
$query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
$result = mysqli_query( $this->dbconn, $query, $database );
if( false === $result )
{
$err_msg = mysqli_error($this->dbconn);
return false;
} else {
return $result;
}
}
return false;
}
是的,PDO总是好的。但如果我们认为PDO不存在。或者这样看。有什么东西可以从我的支票中漏掉吗?就像我忘记了什么(关于clean函数)?@Robert不,直接去监狱,不要通过,等等,或者,换句话说,永远不要使用原始的
mysql.*mysql.*mysql.*addslashes()mysql\u real\u escape\u string()addslashes()magic\u quotes\u gpcmysql.*addslashes()mysql\u real\u escape\u string()addslashes()magic\u quotes\u gpc