mysqli_real_escape_string必要吗?

时间:2017-01-29 16:37:46

标签: php mysqli

我是PHP和编程的新手,但是我开始构建自己的网站,需要注册网站以下PHP代码:

<?php
$fnameErr = $lnameErr = $emailErr = $pwErr = $pw_confErr = "";
$fname = $lname = $email = $pw = $pw_conf = "";

function test_input($data) {
  $data = trim($data);
  $data = stripslashes($data);
  $data = htmlspecialchars($data);
  return $data;
}

if ($_SERVER["REQUEST_METHOD"] == "POST") {
  if (empty($_POST["fname"])) {
    $fnameErr = "(Please submit first name)";
  } 
  else {
    $fname = test_input($_POST["fname"]);
  }

  if (empty($_POST["lname"])) {
    $lnameErr = "(Please submit last name)";
  } 
  else {
    $lname = test_input($_POST["lname"]);
  }

  if (empty($_POST["email"])) {
    $emailErr = "(Please submit email address)";
  } 
  else {
    $email = test_input($_POST["email"]);
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
      $emailErr = "(Email address is not valid)"; 
    }
  }

  include ("email_compare.php");

  if (empty($_POST["pw"])) {
    $pwErr = "(Please submit password)";
  } 
  else {
    $pw = test_input($_POST["pw"]);
    $pwHash = password_hash($pw, PASSWORD_DEFAULT);
  }

  if (empty($_POST["pw_conf"])) {
    $pw_confErr = "(Please confirm password)";
  } 
  else {
    $pw_conf = test_input($_POST["pw_conf"]);
  }

  if ($_POST["pw"] !== $_POST["pw_conf"]) {
    $pwErr = "(Please confirm password)";
    $pw_confErr = "";
  } 

  if (empty($fnameErr) && empty($lnameErr) && empty($emailErr) && empty

($pwErr) && empty($pw_confErr))
  {
    include ("db_add.php"); 
    header('Location: register_success_en.php');
    exit;
  }
}
?>

我刚刚发现,应该包含在MYSQL中的数据应该由mysqli_real_escape_string转义,但我已经使用了我的test_input函数,在我看来,这个函数具有相同的效果。

所以我的问题是:test_input函数是否足够,还是我还应该使用mysqli_real_escape_string?

提前致谢!

0 个答案:

没有答案