doumi1311 2012-04-11 21:02
浏览 44
已采纳

半自动地为不安全的PHP mysql脚本添加安全性

I have a lot of files which have things like

1- mysql_query("update ... $_POST['foo'] ...");

I want to transform that to this

2- $foo = mysql_real_escape_string($_POST['foo']);
3- mysql_query("update ... $foo ...");

I had the idea to open each file, select the text $_POST['foo'] (form 1-) press a key combination, and then some tool automatically:

  • put on my clipboard mysql_real_escape_string($_POST['foo']); (for adding in 2-)
  • replace the text in 1- with the text in 3-

Then manually write $foo = and press ctrl+v to generate 2-

I'm trying with notepad++ and a plugin called fingertext, and trying to make a macro, but had no success.

Any suggestion?

  • 写回答

2条回答 默认 最新

  • duanqiao1961 2012-04-11 21:06
    关注
    $_POST = sanitize($_POST);
$_GET = sanitize($_GET);

    function sanitize($input) {
        if (is_array($input)) {
            foreach($input as $var=>$val) {
                $output[$var] = sanitize($val);
            }
        } else {
            if (get_magic_quotes_gpc()) {
                $input = stripslashes($input);
            }
            $output = mysql_real_escape_string($input);
        }
        return $output;
    }

    It's not perfect, but if you have a lot of unsecure pages and need a quick fix to make them all secure, you can put this after connecting to mysql. also, keep in mind that if your query has unquoted numbers variables, you will have to either validate that they are numbers, or type cast them before using them in your query. mysql_real_escape_string() only works on quoted values (ie blah_column = 'value', but not blah_column = value).

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 ansys fluent计算闪退
  • ¥15 有关wireshark抓包的问题
  • ¥15 需要写计算过程,不要写代码,求解答,数据都在图上
  • ¥15 向数据表用newid方式插入GUID问题
  • ¥15 multisim电路设计
  • ¥20 用keil,写代码解决两个问题,用库函数
  • ¥50 ID中开关量采样信号通道、以及程序流程的设计
  • ¥15 U-Mamba/nnunetv2固定随机数种子
  • ¥15 vba使用jmail发送邮件正文里面怎么加图片
  • ¥15 vb6.0如何向数据库中添加自动生成的字段数据。