dongxingji3882 2014-04-11 16:13
浏览 84
已采纳

过滤输入和isset

Do i need to filter both $_GET['action'] and both $_GET['id'] ??

Normal

if (isset($_GET['action']) && $_GET['action'] == 'delete') {
/* Do Something*/
}

Filtered

if (isset($_GET['action']) && filter_input(INPUT_GET, 'action',  FILTER_SANITIZE_STRING) == 'delete') {
    /* Do Something*/
}

Normal

if (isset($_GET['id']) && !empty($_GET['id'])) {
/* Do Something*/
}

Filtered

if (isset($_GET['id']) && !empty(filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT))) {
    /* Do Something*/
}

Edited Do i need to filter(filter_input) $id or PDO::PARAM_INT do the same thing?

if (isset($_GET['id']) && !empty($_GET['id'])) {

$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT);
$query = "SELECT * FROM table WHERE id = :id";
$stmt = $dbh->prepare($query);
$stmt->bindParam(':id', $id, PDO::PARAM_INT);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);

print htmlspecialchars($row['test'], ENT_QUOTES, 'UTF-8');

}
  • 写回答

2条回答 默认 最新

  • drgm51600 2014-04-11 17:19
    关注

    Since you only check the values, it is not strictly necessary in the sample code you gave.
    HOWEVER, it is always a good habit to always sanitize your inputs because you will probably do something with it. Check about the XSS exploit if you want some example of why it is not a good idea to use your inputs without sanitizing them.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 phython如何实现以下功能?查找同一用户名的消费金额合并—
  • ¥15 孟德尔随机化怎样画共定位分析图
  • ¥18 模拟电路问题解答有偿速度
  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址