在GET请求中对JSON数据使用mysql_real_escape_string的位置

时间:2015-08-19 11:56:34

标签: php mysql json

我正在使用GET请求中的JSON数据进行选择&插入MySQL。如果有人使用了带有JSON的mysql_real_escape_string,请告诉我

$json_data = mysql_real_escape_string($_GET['json_data']);
json_decode($json_data, true);

then mysql_queries

这种方式还可以

或者我们必须对每个变量都这样做,比如

$json_data = mysql_real_escape_string($_GET['json_data']);
$string = json_decode($json_data, true);
$variable1 = mysql_real_escape_string($string['variable1']);
$variable2 = mysql_real_escape_string($string['variable2']);
$variablen = mysql_real_escape_string($string['variablen']);

then mysql_queries

3 个答案:

答案 0 :(得分:1)

  

在GET请求中对JSON数据使用mysql_real_escape_string的地方

您将三个不同的域放在一个句子中,每个域都有不同的语法和不同的转义规则。不要混合它们!

// $text is just some text received in the query string
// It might be a correct JSON representation of some data structure
// but it may be anything else as well; it is a source for injection
// nonetheless, so it have to be thoroughly checked
$text = $_GET['json_data'];

// Check if $text looks like a valid JSON representation
$data = json_decode($text, TRUE);
// We expect an array encoded as JSON in $_GET['json_data']
if (! is_array($data)) {
    // This is not good; recover from this situation somehow;
    // display an error message or use a default value instead or
    // abort the script or any combination of the above
    exit(1);
}

// Validate the structure of $data and the values it contains
if (! isset($data['variable1'])) {
    // Do something: use a default value, display a message etc.
}
// 'variable1' is set, can work with it
$var1 = $data['variable1'];

// Validate the type and the value of $var1
// F.e. if you expect an integer then check if it's an integer and/or
// convert it to an integer
if (! is_int($var1)) {
    // Do something, for example fix it
    $var1 = (int)$var1;
}
// Validate the value; if it's a quantity, f.e., it must be positive
// (zero may or may not be allowed, it depends on your application logic)
if ($var1 <= 0) {
    // Something is wrong here; do something
    // report an error, fix the value, abort the processing, it depends...
}
// $var1 looks legit now; use it or put it into the database

// This test is a joke but let's be realistic. It's 2015 and the
// old mysql PHP extension is dead. Don't use it!
// Use mysqli or PDO_MySQL instead
if (date('Y') <= 2005) {
    $var1db = mysql_real_escape_string($var1);
    $query  = "INSERT INTO tbl1(col1) VALUES ('$var1db')";
} else {
    // Look ma! No need to "escape string" any more!
    $query = "INSERT INTO tbl1(col1) VALUES (?)"
    $stmt  = mysqli_prepare($conn, $query);
    mysqli_stmt_bind_param($stmt, 'i', $var1);
    mysqli_stmt_execute($stmt);
}

停止使用mysql PHP扩展名!

它很旧,功能有限,不再维护,更重要的是,它在PHP 5.5上被弃用,并且完全从PHP 7中删除。

使用mysqliPDO_MySQL。虽然PDO对我来说似乎更具通用性,但更容易从mysql切换到mysqli(使用procedural interface of mysqli)。网上有很多文章解释了如何转换。

不要坚持过去,敢于进步!

答案 1 :(得分:0)

在将它们插入数据库之前,应该对每个单独的值调用mysql_real_escape_string()(所以在进行任何其他验证之后)

但正如@Jay Blanchard已经说过的那样,你不应该再使用mysql_ *函数了,而是调查PDO。

why you should use PDO

答案 2 :(得分:0)

在将值嵌入查询之前,

mysql_real_escape_string是您做的最后一件事。您永远不会mysql_real_escape_string某些然后将其修改然后将其放入查询中。您可以通过对其进行其他操作来撤消使用mysql_real_escape_string进行的转义。例如:

$value = "'foo'";
$value = mysql_real_escape_string($value);
$value .= "'";
$query = "INSERT INTO ... VALUES ('$value')";

嗯,恭喜,逃避完全没有意义,你仍然会产生语法错误。

JSON与整个过程完全无关。使用mysql_real_escape_string正确构建查询的唯一方法之一就是在将值嵌入查询字符串时将值转义为正确;不久,不迟。话虽如此,你真的需要与时俱进,使用PDO或mysqli与预备语句而不是手动转义。

相关问题
最新问题