I'm trying to figure out a good easy way to avoid SQL Injection and so far I've only been able to come up with two ideas:

Base64 encode the user input (Don't really want to do this)
Use regex to remove unwanted characters. (Currently using this, not sure if it's 100% safe)

Here is my current code:

    <?php
        $hash = $_GET['file'];

        if (isset($hash))
        {
            $db = new SQLite3("Files.db");

            if ($db != null)
            {
                $hash = preg_replace('/[^A-Za-z0-9 _.\-+=]/', '_', $hash);

                if ($response = $db->query("SELECT [FILE] FROM '$hash'"))
                {
                    echo $response->fetchArray()[0]; // File name is returned if successful.
                }
            }
        }
    ?>

My question is am I going about this the right way or are there any better ways to do this?

SQL注入时+--+的意思和作用？

Geek青松

1个回复