dth96108 2011-06-25 01:34
浏览 209
已采纳

如何清理字符串以避免SQL注入和最常见的攻击类型? (在PHP中)

Is there a way to, in as little code as possible, to filter a string for both SQL injection and the most common forms of attack?

In my scripts I'm using the following, I would like to know whether it's reasonably safe and whether someone else has a suggestion:

$cleanName    = htmlspecialchars(addslashes($dirtyName));

See how I filtered it both for html chars and for quotes and double-quotes.

NOTE: I'm using addslashes() rather than mysql_real_escape_string() because I don't want to hardcode the DB I'm using into my code.

Is this ok?

Thanks in advance

  • 写回答

4条回答 默认 最新

  • duane9322 2011-06-25 01:42
    关注

    Probably not... you need to escape your raw text for each purpose separately for which you are going to use it:

    • For GET requests, use urlencode.
    • For HTML output, use htmlentities.
    • For calling as a command via system, use escapeshellcmd.
    • For passing arguments to a command via system: use escapeshellargs.
    • For passing a database parameter: use mysql_real_escape_string.

    There's no "universal" solution for magically escaping text. Keep raw text internally, and escape it for the appropriate purpose.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 微信小程序协议怎么写
  • ¥15 c语言怎么用printf(“\b \b”)与getch()实现黑框里写入与删除?
  • ¥20 怎么用dlib库的算法识别小麦病虫害
  • ¥15 华为ensp模拟器中S5700交换机在配置过程中老是反复重启
  • ¥15 java写代码遇到问题,求帮助
  • ¥15 uniapp uview http 如何实现统一的请求异常信息提示?
  • ¥15 有了解d3和topogram.js库的吗?有偿请教
  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看