Php正则表达式是否可以安全地将数据插入数据库？

I'm inserting data to db with following validation where I only accept ' and & and @ and .. After that I'm using mysqli_real_escape_string($var).

So I see it's output is :

I\'m a good boy &@ is it secure var for input to DB.

My Questions :

1) Is there any security issues will appear if I accept ' and & and @ and . ?
2) If it's not security issues then it's insert \ to db. Is it problem to store data with backslash ?
3) If it's not a problem for security then in user panel data is showing with \. So is it need to escape with stripslashes($var);?

My validation:

$var = "I'm a good boy &@ is it secure var for input to DB.";

if(preg_match("/^[a-zA-Z0-9.'&@ ]+$/", $var) !== 1)
    echo "var is NOT OK.<br/>";
else
    echo "var is ok.<br/>";

mysqli_real_escape_string($link, $var);

写回答
好问题 0 提建议
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doudeng2025 2014-10-28 22:38
关注
Is there any security issues will appear if I accept ' and & and @ and . ?
There will be security issues as a single quote (') is used for SQL Injection

If it's not security issues then it's insert \ to db. Is it problem to store data with backslash ?
No, there is no problem with storing the data with backslashes, that's how escaping works.

If it's not a problem for security then in user panel data is showing with . So is it need to escape with stripslashes($var);?
Yes, it will cause a problem among display as single quotes will be escaped using a backslash, to display it without a backslash, you can use stripslashes()

All these problems and questions you're mentioning can be simply ignored if you start using prepared statements as it requires no escaping whatsoever, so your database will be SQL Injection-free, there will be no backslashes making your output look bad.
解决无用
评论打赏
分享
举报
编辑

预览
轻敲空格完成输入
显示为

卡片

标题

链接
评论

按下Enter换行，Ctrl+Enter发表内容

编辑

预览

报告相同问题？

关注问题

Php正则表达式是否可以安全地将数据插入数据库？

1条回答 默认 最新

1条回答默认最新