I have a BUNCH of $_POST variables being sent in via a long form and instead of hard coding each one with a mysql_escape_string()
is it ok for me to do the following? I don't know if this is actually safe and/or viable code.
我有一个$ _POST变量的BUNCH通过一个长形式发送,而不是使用mysql_escape_string()硬编码每个变量我可以执行以下操作吗?我不知道这是否真的是安全和/或可行的代码。
foreach ($_POST as &$post_item){
$post_item = mysql_escape_string($post_item);
}
I'm fairly certain that because i'm using the &, it's passing it in by reference, not value, so i'm actually changing the value in the $_POST.
我很确定因为我正在使用&,它通过引用传递它,而不是值,所以我实际上是在改变$ _POST中的值。
Also, should I use mysql_real_escape_string()
instead?
另外,我应该使用mysql_real_escape_string()吗?
EDIT: I am using PDO and prepare() along with the above method. Does this take care of it for me?
编辑:我正在使用PDO和prepare()以及上述方法。这会照顾我吗?
3 个解决方案
#1
Why not use array_map()
?
为什么不使用array_map()?
array_map(mysql_real_escape_string, $_POST);
But in reality you should be using parametrized/prepared statements.
但实际上你应该使用参数化/准备好的语句。
mysql_real_escape_string()
takes the current database character set into account, mysql_escape_string()
does not. So the former is the better alternative in comparison.
mysql_real_escape_string()将当前数据库字符集考虑在内,mysql_escape_string()则不考虑。所以前者是比较好的替代方案。
Edit (following up the OP's edit to the question):
编辑(跟进OP对问题的编辑):
Since you already do PDO prepared statements, there is no need to modify your values. PDO takes care of everything, that's the whole point of it (If you really put all data in parameters, that is - just concatenating strings to build SQL statements leads to disaster with PDO or without). Escaping the values beforehand would lead to escaped values in the database.
由于您已经完成了PDO预处理语句,因此无需修改您的值。 PDO负责所有事情,这就是它的全部要点(如果你真的将所有数据都放在参数中,那就是 - 只是连接字符串来构建SQL语句会导致PDO发生灾难或者没有)。事先转义值会导致数据库中的转义值。
#2
Yes, you should be using mysql_real_escape_string()
, if you're going to go that route. But the correct way to make sure the variables are safe to send to the database is using Parameterized Queries which are provided in PHP through either the mysqli functions or PDO.
是的,你应该使用mysql_real_escape_string(),如果你要去那条路线的话。但是确保变量可以安全发送到数据库的正确方法是使用参数化查询,它通过mysqli函数或PDO在PHP中提供。
#3
In addition to the previous comments, another benefit to using parameterised queries is that the database will be able to do better optimisations and probably use a cached query plan so you will get better performance.
除了之前的注释之外,使用参数化查询的另一个好处是数据库将能够进行更好的优化,并且可能使用缓存的查询计划,这样您将获得更好的性能。
#1
Why not use array_map()
?
为什么不使用array_map()?
array_map(mysql_real_escape_string, $_POST);
But in reality you should be using parametrized/prepared statements.
但实际上你应该使用参数化/准备好的语句。
mysql_real_escape_string()
takes the current database character set into account, mysql_escape_string()
does not. So the former is the better alternative in comparison.
mysql_real_escape_string()将当前数据库字符集考虑在内,mysql_escape_string()则不考虑。所以前者是比较好的替代方案。
Edit (following up the OP's edit to the question):
编辑(跟进OP对问题的编辑):
Since you already do PDO prepared statements, there is no need to modify your values. PDO takes care of everything, that's the whole point of it (If you really put all data in parameters, that is - just concatenating strings to build SQL statements leads to disaster with PDO or without). Escaping the values beforehand would lead to escaped values in the database.
由于您已经完成了PDO预处理语句,因此无需修改您的值。 PDO负责所有事情,这就是它的全部要点(如果你真的将所有数据都放在参数中,那就是 - 只是连接字符串来构建SQL语句会导致PDO发生灾难或者没有)。事先转义值会导致数据库中的转义值。
#2
Yes, you should be using mysql_real_escape_string()
, if you're going to go that route. But the correct way to make sure the variables are safe to send to the database is using Parameterized Queries which are provided in PHP through either the mysqli functions or PDO.
是的,你应该使用mysql_real_escape_string(),如果你要去那条路线的话。但是确保变量可以安全发送到数据库的正确方法是使用参数化查询,它通过mysqli函数或PDO在PHP中提供。
#3
In addition to the previous comments, another benefit to using parameterised queries is that the database will be able to do better optimisations and probably use a cached query plan so you will get better performance.
除了之前的注释之外,使用参数化查询的另一个好处是数据库将能够进行更好的优化,并且可能使用缓存的查询计划,这样您将获得更好的性能。