I don't know when to use each one of them.
$name = mysqli_real_escape_string($connection, $_POST['name']);
or
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
mysqli_real_escape_string vs filter_input()? 我应该使用什么方法?
- 写回答
- 好问题 0 提建议
- 追加酬金
- 关注问题
分享- 邀请回答
-
1条回答 默认 最新
- dongzeao5047 2016-02-02 07:55关注
real_escape_string()have to be used for the sql strings, i.e. parts of the query enclosed in quotes. Have to be used unconditionally, despite of whatever previous manipulations.real_escape_string()Escapes special characters in a string for use in an SQL statement, taking into account the current char set of the connection.Where as
filter_inputGets a specific external variable by name and optionally filters it.filter_inputwill provide you way to validate input for specific string and characters.- Validate filters
- Sanitize filters
- Other filters
- Filter flags
Validate filters
As name suggested it is use for validation for specific input like
FILTER_VALIDATE_EMAIL.$email = "abc@example"; // wrong email if(filter_var($email, FILTER_VALIDATE_EMAIL)){ echo $email.'<br>'; var_dump(filter_var($email, FILTER_VALIDATE_EMAIL)); }else{ var_dump(filter_var($email, FILTER_VALIDATE_EMAIL)); }Sanitize filters it will use for validate and remove characters from string.
FILTER_SANITIZE_EMAIL "email" Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].For more information on filter_value.
So I think that both have different roles to play.
解决 无用评论 打赏举报 分享
- 2012-03-11 07:04回答 2 已采纳 Like many other PHP users you are taking escaping wrong. You taking it as a some sort of magic wan
- 2014-07-15 06:44回答 1 已采纳 You can do it by more than one way : 1.1- Try putting the escape function inside the connect clas
- 2017-01-06 17:16回答 1 已采纳 If this is not your whole script, you need to initialize error to some value before concatenating
- 2021-04-22 09:34杨养羊的博客 尝试验证然后清理$_GET...这是我的……if (isset($_GET['id'])) {$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);if (!$id) {echo 'Error';exit();}$id = filter_input(INPUT_GET, 'id', FILTER_SANITI...
- 2014-07-28 10:54回答 1 已采纳 Indeed, you do not need that. You either validate, or you sanitise. Validation is a binary result
- 2018-04-01 22:13回答 2 已采纳 Found problems: First code line is wrong: <? php. The php file presents then the code like a
- 2014-11-28 22:03回答 1 已采纳 If you want to test the original data, then why not just actually test the original data? if($_PO
- 2021-04-10 10:29大乘虚怀苦的博客 我正在尝试提出一种方法,可以通过一个函数有效轻松地清除所有POST和GET变量。 这是函数本身://clean the user's inputfunction cleanInput($value, $link = ''){//if the variable is an array, recurse into itif...
- 2014-01-16 14:38回答 2 已采纳 Because now string escaping also requires the connection handle. All of the following need to be u
- 2014-04-19 19:33回答 5 已采纳 simply put your r.php code in index.php and then change the form action, just put it as action=""
- 2018-04-05 21:49回答 1 已采纳 Okay, so instead of using cookies to transfer data with your xmlHttpRequest() you can pass informa
- 2021-03-16 23:55weixin_39727706的博客 本问题已经有最佳答案,请猛点这里...我想用sha512。$con=mysqli_connect("localhost","root","","users");// Check connectionif (mysqli_connect_errno()){echo"Failed to connect to MySQL:" . mysqli_connect...
- 2017-05-11 10:25回答 1 已采纳 Pass your x object as param to update function.. <a class="button button-info" ng-click="upda
- 2021-01-28 12:42TraceYang的博客 this is my php code$con=mysqli_connect("","","","");if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error();}\\check connection$username = mysqli_real_escape_stri...
- 2024-04-29 20:382401_84248681的博客 由于php是弱类型语言,会使用这个函数来判断一下。min,max生成随机整数延迟执行当前脚本若干秒检测变量是否已设置并且非 NULLmessage输出一条消息,并退出当前脚本。可以用于md5相等,但两值不相等的情况、sha1()和...
- 2021-04-17 02:45珠仪的博客 GET”,同时又提到“可以尝试在php.ini中开启magic_quotes_gpc,这样对于所有由用户GET、POST、COOKIE中传入的特殊字符都会转义”,我很纠结,是否开启magic_quotes_gpc就可以直接使用$_GET?如下面例子中的代码本人...
- 2024-04-29 20:372401_84247760的博客 rows(result) 返回结果集中行的数量 mysqli_real_escape_string(connection,escapestring) 转义在 SQL 语句中使用的字符串中的特殊字符,难道转义后我们就没有办法注入了?NO!!! php官方函数参考手册中写到,会被...
- 2024-05-01 17:392401_84247423的博客 rows(result) 返回结果集中行的数量 mysqli_real_escape_string(connection,escapestring) 转义在 SQL 语句中使用的字符串中的特殊字符,难道转义后我们就没有办法注入了?NO!!! php官方函数参考手册中写到,会被...
- 2021-03-23 13:14樱红蕉绿的博客 MySQLi里同样提供有像PDO bindParam一样的bind_param,这时就不需要用addslashes,mysqli_real_escape_string之类的函数了,也不需要依赖magic_quotes_gpc配置了(该配置从PHP5.4开始已经被移除). 用PDO操作MySQL时注意...
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 下图接收小电路,谁知道原理
- ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
- ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
- ¥15 手机接入宽带网线,如何释放宽带全部速度
- ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
- ¥15 ETLCloud 处理json多层级问题
- ¥15 matlab中使用gurobi时报错
- ¥15 这个主板怎么能扩出一两个sata口
- ¥15 不是,这到底错哪儿了😭
- ¥15 2020长安杯与连接网探