这是过滤数据、防止sql注入和其他攻击的安全方法吗?

I created two simple functions to filter inserted data before it's entered into a mysql query.

我创建了两个简单的函数，在插入数据进入mysql查询之前对其进行过滤。

For formfields (I am also using regular expressions to check each field individually.

对于formfields(我还使用正则表达式分别检查每个字段。

// Form filter
function filter($var) 
{               

    // HTML is not allowed
    $var = strip_tags(trim($var)); 

    // Check magic quotes and stripslashes
    if(get_magic_quotes_gpc())
    { 
        $var = stripslashes($var);
}

    // Not using it right now, is it recommended?
    // $var = htmlentities($var, ENT_QUOTES);

    // Escape
    $var = mysql_real_escape_string($var);

    // Return    
    return $var; 
}

Then for id's (sent in the URL) I am using this filter:

然后对于id(发送到URL)，我使用这个过滤器:

// ID filter
function idfilter($idfilter)
{
// Delete everything except numbers
$idfilter = ereg_replace("[^0-9]", "", $idfilter);

// Round numbers
$idfilter = round($idfilter);

// Test if the input is indeed a number
if(!is_numeric($idfilter) || $idfilter % 1 != 0)
{
    $idfilter = 0;
}

// Filter using the formfilter (above)
return filter($idfilter);
}

Are there suggestions to add or strip from these simple functions? And is it "safe"?

有什么建议可以添加或删除这些简单的函数吗?“安全”吗?

3 个解决方案

#1

You're using deprecated function as magic_quotes and ereg_*. To prevent Sql injection you should use prepared statement (I suggest to use PDO) and to prevent XSS you should use strip_tags() as you're doing.

您正在使用已废弃的函数作为magic_quotes和ereg_*。为了防止Sql注入，您应该使用预处理语句(我建议使用PDO)，为了防止XSS，您应该使用strip_tags()。

#2

Use parameters in your queries instead of concatenating string.

在查询中使用参数，而不是连接字符串。

Filters and cleaners are usually not safe enough.

过滤器和清洁剂通常不够安全。

#3

If you are using integer ids idFilter() can be safely stripped down to

如果您使用的是整数id idFilter()，可以安全地简化为

function idfilter($idfilter) {
  return (int)$idfilter;
}

As others have suggested, using parametrized queries is the right way to go though.

正如其他人所建议的，使用参数化查询是正确的方法。

#1