doupi1532
doupi1532
2012-04-11 03:22

这是逃脱多个领域的正确方法吗?

已采纳

I had just hired someone to do a secure form and pasted below is just a snippet of a large code:

        $_POST = escape_all($_POST);

        $some1 = $_POST['some1'];
        $some2 = $_POST['some2'];
        $some3 = $_POST['some3'];
        $some4 = $_POST['some4'];
        $some5 = $_POST['some5'];
        $some6 = $_POST['some6'];
        $some7 = $_POST['some7'];
        $some8 = $_POST['some8'];

Is that the right way or should i add mysql_real_escape_string(); to all of the variables?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享
  • 邀请回答

1条回答

  • dongyi6668 dongyi6668 9年前

    That looks like he's written a custom function to escape. As long as that escape_all function is calling mysql_real_escape string, it will technically work, although I wouldn't say it's the preferred solution for a few reasons.

    Firstly, you'll want to be careful that you aren't escaping anywhere else, as it can easily lead to double escaping, which can cause other problems.

    Also, you can end up escaping a whole lot of data that doesn't need to be escaped depending on the situation, if performance is a concern.

    And yes, using mysqli instead of mysql is generally preferable.

    点赞 评论 复制链接分享

为你推荐