douyi1982 2012-08-28 15:05
浏览 24
已采纳

安全的班级建设

Is it secure to call __construct() in login or sign up class this way:

function __construct(PDO $DBH, $_POST['1'], $_POST['2'])
{
    $this->_user=$_POST['1'];
    $this->_pass=$_POST['2'];
    $this->_DBH=$DBH;
}

I want to sanitize user input later inside this class and I'm not sure would my code be ripe for SQL injection or XSS because of class costructed with raw POST input?

  • 写回答

5条回答 默认 最新

  • dqol6556 2012-08-28 15:08
    关注

    If you know you sanitize/use prepared statements (i.e. the raw POST data is not inserted as is to the query), it's fine to do so.

    In fact, if you use prepared statements, you don't need to sanitize your input at all (for SQL, if you're going to display the data as HTML, it still needs to be sanitized as such).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥15 ogg dd trandata 报错
  • ¥15 高缺失率数据如何选择填充方式
  • ¥50 potsgresql15备份问题
  • ¥15 Mac系统vs code使用phpstudy如何配置debug来调试php
  • ¥15 目前主流的音乐软件,像网易云音乐,QQ音乐他们的前端和后台部分是用的什么技术实现的?求解!
  • ¥60 pb数据库修改与连接
  • ¥15 spss统计中二分类变量和有序变量的相关性分析可以用kendall相关分析吗?
  • ¥15 拟通过pc下指令到安卓系统,如果追求响应速度,尽可能无延迟,是不是用安卓模拟器会优于实体的安卓手机?如果是,可以快多少毫秒?
  • ¥20 神经网络Sequential name=sequential, built=False
  • ¥16 Qphython 用xlrd读取excel报错