doupi1532 2012-04-11 03:22
浏览 23
已采纳

这是逃脱多个领域的正确方法吗?

I had just hired someone to do a secure form and pasted below is just a snippet of a large code: 

        $_POST = escape_all($_POST);

        $some1 = $_POST['some1'];
        $some2 = $_POST['some2'];
        $some3 = $_POST['some3'];
        $some4 = $_POST['some4'];
        $some5 = $_POST['some5'];
        $some6 = $_POST['some6'];
        $some7 = $_POST['some7'];
        $some8 = $_POST['some8'];

Is that the right way or should i add mysql_real_escape_string(); to all of the variables?

  • 写回答

1条回答 默认 最新

  • dongyi6668 2012-04-11 03:26
    关注

    That looks like he's written a custom function to escape. As long as that escape_all function is calling mysql_real_escape string, it will technically work, although I wouldn't say it's the preferred solution for a few reasons.

    Firstly, you'll want to be careful that you aren't escaping anywhere else, as it can easily lead to double escaping, which can cause other problems.

    Also, you can end up escaping a whole lot of data that doesn't need to be escaped depending on the situation, if performance is a concern.

    And yes, using mysqli instead of mysql is generally preferable.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 vue3+express部署到nginx
  • ¥20 搭建pt1000三线制高精度测温电路
  • ¥15 使用Jdk8自带的算法,和Jdk11自带的加密结果会一样吗,不一样的话有什么解决方案,Jdk不能升级的情况
  • ¥15 画两个图 python或R
  • ¥15 在线请求openmv与pixhawk 实现实时目标跟踪的具体通讯方法
  • ¥15 八路抢答器设计出现故障
  • ¥15 opencv 无法读取视频
  • ¥15 按键修改电子时钟,C51单片机
  • ¥60 Java中实现如何实现张量类,并用于图像处理(不运用其他科学计算库和图像处理库))
  • ¥20 5037端口被adb自己占了