我想知道是否有人可以在PHP / mySQL表单提交期间建议更优雅的方式来分配变量。这看起来很笨重
//include("connect.php");
mysql_connect("localhost","root","root");
mysql_select_db("noirTEST");
// assign out vars from the POST vars to get ready for SQL insertion
$thumb_image_location = $_POST['thumb_image_location'];
$large_image_location = $_POST['large_image_location'];
$password = sanitizeString($_POST['password1']);
$firstName = sanitizeString($_POST['firstName']);
$lastName = sanitizeString($_POST['lastName']);
$desc_short = sanitizeString($_POST['desc_short']);
$nationality = sanitizeString($_POST['nationality']);
$speakEnglish = sanitizeString($_POST['speakEnglish']);
$speakGerman = sanitizeString($_POST['speakGerman']);
$mainInst = sanitizeString($_POST['mainInst']);
$inspiration1 = sanitizeString($_POST['inspiration1']);
$inspiration2 = sanitizeString($_POST['inspiration2']);
$inspiration3 = sanitizeString($_POST['inspiration3']);
$inspiration4 = sanitizeString($_POST['inspiration4']);
$inspiration5 = sanitizeString($_POST['inspiration5']);
$desc_long = sanitizeString($_POST['desc_long']);
$link1name = sanitizeString($_POST['link1name']);
$link1url = sanitizeString($_POST['link1url']);
$link2name = sanitizeString($_POST['link2name']);
$link2url = sanitizeString($_POST['link2url']);
$link3name = sanitizeString($_POST['link3name']);
$link3url = sanitizeString($_POST['link3url']);
$email = sanitizeString($_POST['email']);
$proExperience = sanitizeString($_POST['proExperience']);
$haveStudio = sanitizeString($_POST['haveStudio']);
$musicTheory = sanitizeString($_POST['musicTheory']);
$composer = sanitizeString($_POST['composer']);
$teacher = sanitizeString($_POST['teacher']);
$query = "INSERT INTO NOIRusers (thumb_image_location, large_image_location, password, firstName, lastName, desc_short, nationality, speakEnglish, speakGerman, mainInst, inspiration1, inspiration2, inspiration3, inspiration4, inspiration5, desc_long, link1name, link1url, link2name, link2url, link3name, link3url, email, proExperience, haveStudio, musicTheory, composer, teacher ) VALUES ('$thumb_image_location', '$large_image_location', '$password', '$firstName', '$lastName', '$desc_short', '$nationality', '$speakEnglish', '$speakGerman','$mainInst', '$inspiration1', '$inspiration2', '$inspiration3', '$inspiration4', '$inspiration5', '$desc_long', '$link1name', '$link1url', '$link2name', '$link2url', '$link3name', '$link3url', '$email', '$proExperience', '$haveStudio', '$musicTheory', '$composer', '$teacher')";
function sanitizeString($string)
{
$string=trim($string);
$string=strip_tags($string);
$string=htmlentities($string);
$string=stripslashes($string);
return $string;
};
这样的事情对于漫长的第一部分有用吗?
foreach($_POST as $key => $value){
${$key} = $value;
sanitizeString($key);
}
似乎我所看到的每个例子都使用了很长的路或类似的东西......所以我确信有一个原因可以解释为什么不能/不应该使用更短的方式。但有人可以向我解释一下吗?
答案 0 :(得分:2)
对于其中一个,您也应该在sanitizeString函数中使用mysql_real_escape_string。
或者更好的是,使用PDO,这将为您逃脱字符串。
答案 1 :(得分:1)
您的替代方法与启用register_globals相同,这是一个非常糟糕的主意(如果您真的想要这样做,您可以将extract与{{3}一起使用 - 但不要。)。
我建议循环并清理$ _POST中的值(最好是在新数组中,以便您可以控制哪些值已被过滤,哪些值没有过滤),或者只是使用在您的过滤中过滤的值查询(您可能想要查看使用准备好的查询)。您还可以创建预期的设置表单值的列表,然后循环遍历该列表,并在遇到这些值时检查并过滤这些值。这将允许您检查实际设置的值以及请求是否包含您期望的值。
除非启用了magic_quotes,否则你还想避免使用stripslashes(),否则你的sanitize函数中会丢失有效的-s,如果你的字段包含<,那么使用strip_tags会删除太多内容想要做HTML转义输出(到HTML),而不是输入。