一次转义多个字符串,来自POST或GET的字符串是不错的做法?
还有什么我应该考虑或做的不同吗?我现在有PDO但是在这段代码中我不想使用它。
class Bo extends Db
{
function clean($cThis)
{
$res = array();
foreach (array_keys($cThis) as $key) {
$res[$key] = mysql_real_escape_string(addslashes($cThis[$key]));
}
return $res;
}
function add($info)
{
$this->dbConnect();
$cInfo = $this->clean($info);
mysql_query("INSERT INTO table (b, c) VALUES ('".$cInfo['b']."', '".$cInfo['c']."')");
$this->dbDisconnect();
}
}
答案 0 :(得分:4)
好的做法是使用PDO和prepared statements,而不是手动转义字符串并将它们连接成一个查询,例如:
$db = DB::connect($dsn);
$sth = $db->prepare("INSERT INTO table (b, c) VALUES (?, ?)");
$res = $sth->execute(array($info['b'], $info['c']));
$db->disconnect()
哦,并确保gpc_magic_quotes也被禁用!
答案 1 :(得分:0)
PDO将是最佳选择,但万一你没有。有一些方法可以模仿mysql的pg_query_params。它被编写为类的方法,$this->dbconn是mysqli_init返回的连接资源。当然,您可以使用适当的mysqli类似物更改mysql方法。
/**
* Returns the single value of the array mysqli_query_params__parameters
*
* @param $at the position of the parameter inside the array mysqli_query_params__parameters
* @return mixed
*/
public function mysqli_query_params__callback( $at )
{
return $this->mysqli_query_params__parameters[ $at[1]-1 ];
}
/**
* Parameterised query implementation for MySQL (similar PostgreSQL's PHP function pg_query_params)
* Example: mysqli_query_params( "SELECT * FROM my_table WHERE col1=$1 AND col2=$2", array( 42, "It's ok" ), $dbconn );
*
* @param $query, $parameters, $datadase
* @return mixed(resorce, false)
* @access public
*/
public function mysqli_query_params( $query, $parameters=array(), $database=false )
{
if( !is_array($parameters) ){
return false;
} else {
if($this->is_assoc($parameters)){
$parameters = array_values($parameters);
}
}
// Escape parameters as required & build parameters for callback function
foreach( $parameters as $k=>$v )
{
$parameters[$k] = ( is_int( $v ) ? $v : ( NULL===$v ? 'NULL' : "'".mysqli_real_escape_string( $this->dbconn, $v )."'" ) );
}
$this->mysqli_query_params__parameters = $parameters;
// Call using mysqli_query
if( false === $database )
{
$query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
$result = mysqli_query( $this->dbconn, $query );
if( false === $result )
{
$err_msg = mysqli_error($this->dbconn);
return false;
} else {
return $result;
}
}
else
{
$query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
$result = mysqli_query( $this->dbconn, $query, $database );
if( false === $result )
{
$err_msg = mysqli_error($this->dbconn);
return false;
} else {
return $result;
}
}
return false;
}