All geek questions in one place

Exclude user data without magic quotes

I am looking at how to correctly avoid data coming from the outside world before it will be used for application management, storage, logic .. this kind of thing.

Obviously, with the quotes directive mask, deprecated in php 5.3.0+ and removed in php6, this becomes more urgent for those who want to upgrade and enter new language functions, while preserving the outdated code (don, t we like it ..).

However, one thing I have not seen is a lot of discussion about theory / best practice with what to do after protecting your data - for example, to store with or without a slash? I personally think that saving data to the database is not going well, but you want to hear a discussion and better read some examples.

Some links from the PHP manual are for reference only:

PHP Guide - mysql_real_escape_string

PHP Guide - htmlspecialchars

etc.

Any tips?

+3
source share
5 answers

Take a look at the prepared statements. I know that in mysql this works very well and is a safe form of retrieving data in your database. It also has several performance benefits.

http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html

I have a few more resources if you are interested.

Hope this is what you are looking for, tc.

Edit:

, , - . , , , FILTER_SANITIZE_STRING, , FILTER_SANITIZE_EMAIL.

. , , , .

+6

  • : mysql_real_escape_string, ..

  • : htmlspecialchars ..

+2

. PDO mysqli .

Htmlspecialchars - html-.

, php 5.3, .

+2

.

, , , - ( , db, html ..), , (, system, multi-arg exec), . - , , .

, Tcl . , , . ( , )

+1

. ​​ mysql_real_escape_string(). , - , , .. , SQL-. XSS .

, - , , , , .

htmlentities() , . , , , , .

"" mysql_real_escape_string().

function someFunction( $value )
{
    if ( is_int( $value ) || is_float( $value ) ) {
        return $value;
    }
    return "'" . mysql_real_escape_string( (string) $value ) . "'";
}

float integer, mysql_real_escape_string(). , , mysql_real_escape_string(), , .

, :

http://localhost/test.php?hello[]=test

test.php mysql_real_escape_string() $_GET ['hello'], , hello . , , , hello .

0
source

Source: https://habr.com/ru/post/1724126/

More articles:


All Articles