doumi1311 2012-04-11 21:02
浏览 44
已采纳

半自动地为不安全的PHP mysql脚本添加安全性

I have a lot of files which have things like

1- mysql_query("update ... $_POST['foo'] ...");

I want to transform that to this

2- $foo = mysql_real_escape_string($_POST['foo']);
3- mysql_query("update ... $foo ...");

I had the idea to open each file, select the text $_POST['foo'] (form 1-) press a key combination, and then some tool automatically:

  • put on my clipboard mysql_real_escape_string($_POST['foo']); (for adding in 2-)
  • replace the text in 1- with the text in 3-

Then manually write $foo = and press ctrl+v to generate 2-

I'm trying with notepad++ and a plugin called fingertext, and trying to make a macro, but had no success.

Any suggestion?

  • 写回答

2条回答 默认 最新

  • duanqiao1961 2012-04-11 21:06
    关注
    $_POST = sanitize($_POST);
$_GET = sanitize($_GET);

    function sanitize($input) {
        if (is_array($input)) {
            foreach($input as $var=>$val) {
                $output[$var] = sanitize($val);
            }
        } else {
            if (get_magic_quotes_gpc()) {
                $input = stripslashes($input);
            }
            $output = mysql_real_escape_string($input);
        }
        return $output;
    }

    It's not perfect, but if you have a lot of unsecure pages and need a quick fix to make them all secure, you can put this after connecting to mysql. also, keep in mind that if your query has unquoted numbers variables, you will have to either validate that they are numbers, or type cast them before using them in your query. mysql_real_escape_string() only works on quoted values (ie blah_column = 'value', but not blah_column = value).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 stm32代码移植没反应
  • ¥15 matlab基于pde算法图像修复,为什么只能对示例图像有效
  • ¥100 连续两帧图像高速减法
  • ¥15 组策略中的计算机配置策略无法下发
  • ¥15 如何绘制动力学系统的相图
  • ¥15 对接wps接口实现获取元数据
  • ¥20 给自己本科IT专业毕业的妹m找个实习工作
  • ¥15 用友U8:向一个无法连接的网络尝试了一个套接字操作,如何解决?
  • ¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
  • ¥50 mac mini外接显示器 画质字体模糊