douren6035 2012-12-20 17:44
浏览 13
已采纳

PHP SQL注入和保护? [重复]

Possible Duplicate:
How to prevent SQL injection?

This is my attempt at cleaning up what I will be putting into my database

$pictureID = $_REQUEST['pictureID'];
$userID = $_REQUEST['userID'];
$username = $_REQUEST['username'];

//Sanatize //Protext against injection

$username = filter_var($username, FILTER_SANITIZE_EMAIL);
$userID = filter_var($userID, FILTER_SANITIZE_STRING);
$pictureID = filter_var($pictureID, FILTER_SANITIZE_STRING);

$username = stripslashes($username);
$username = mysql_real_escape_string($username);

$userID = stripslashes($userID);
$userID = mysql_real_escape_string($userID);

$pictureID = stripslashes($pictureID);
$pictureID = mysql_real_escape_string($pictureID);

I have two questions, is the above enough?

Also, if I do echo $pictureID nothing appears, however, if I remove the $pictureID = mysql_real_escape_string($pictureID); then echo $pictureID works.

Is this the correct behavior?

  • 写回答

2条回答 默认 最新

  • douwen8424 2012-12-20 17:47
    关注

    Wow...

    You really do not need that much.

    Try using PDO or mysqli with a prepared query, then all of that nonsense should not be needed.

    See this canned comment for advice:

    Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么
  • ¥15 banner广告展示设置多少时间不怎么会消耗用户价值
  • ¥16 mybatis的代理对象无法通过@Autowired装填
  • ¥15 可见光定位matlab仿真
  • ¥15 arduino 四自由度机械臂
  • ¥15 wordpress 产品图片 GIF 没法显示
  • ¥15 求三国群英传pl国战时间的修改方法