0

一次转义多个字符串(来自 POST 或 GET 的字符串)时,这是一种好习惯吗?

还有什么我应该考虑或做不同的事情吗?我现在有 PDO,但在这段代码中我不想使用它。

class Bo extends Db
{
    function clean($cThis)
    {
        $res = array();
        foreach (array_keys($cThis) as $key) {
            $res[$key] = mysql_real_escape_string(addslashes($cThis[$key]));
        }
        return $res;
    }

    function add($info)
    {
        $this->dbConnect();
        $cInfo = $this->clean($info);

        mysql_query("INSERT INTO table (b, c) VALUES ('".$cInfo['b']."', '".$cInfo['c']."')");
        $this->dbDisconnect();
    }
}
4

2 回答 2

4

好的做法是使用PDO准备好的语句而不是手动转义字符串并将它们连接到查询中,例如:

$db = DB::connect($dsn);
$sth = $db->prepare("INSERT INTO table (b, c) VALUES (?, ?)");
$res = $sth->execute(array($info['b'], $info['c']));
$db->disconnect()

哦,确保gpc_magic_quotes也被禁用!

于 2012-05-23T21:09:49.480 回答
0

PDO 将是最好的选择,但如果你没有它。有一些模仿pg_query_paramsmysql的方法。它被写成一个类的方法,$this->dbconn是返回的连接资源mysqli_init。当然,您可以mysqli使用适当的mysql类似物更改方法。

/**
 * Returns the single value of the array mysqli_query_params__parameters
 *
 * @param $at the position of the parameter inside the array mysqli_query_params__parameters
 * @return mixed
 */
public function mysqli_query_params__callback( $at )
{
    return $this->mysqli_query_params__parameters[ $at[1]-1 ];
}

/**
 * Parameterised query implementation for MySQL (similar PostgreSQL's PHP function pg_query_params)
 * Example: mysqli_query_params( "SELECT * FROM my_table WHERE col1=$1 AND col2=$2", array( 42, "It's ok" ), $dbconn );
 *
 * @param $query, $parameters, $datadase
 * @return mixed(resorce, false)
 * @access public
 */
public function mysqli_query_params( $query, $parameters=array(), $database=false )
{
    if( !is_array($parameters) ){
        return false;
    } else {
        if($this->is_assoc($parameters)){
            $parameters = array_values($parameters);
        }
    }

    // Escape parameters as required & build parameters for callback function
    foreach( $parameters as $k=>$v )
    {
        $parameters[$k] = ( is_int( $v ) ? $v : ( NULL===$v ? 'NULL' : "'".mysqli_real_escape_string( $this->dbconn, $v )."'" ) );
    }
    $this->mysqli_query_params__parameters = $parameters;

    // Call using mysqli_query
    if( false === $database )
    {
        $query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
        $result = mysqli_query( $this->dbconn, $query );

        if( false === $result )
        {
            $err_msg = mysqli_error($this->dbconn);
            return false;
        } else {
            return $result;
        }
    }
    else
    {
        $query = preg_replace_callback( '/\$([0-9]+)/', array($this, 'mysqli_query_params__callback'), $query );
        $result = mysqli_query( $this->dbconn, $query, $database );

        if( false === $result )
        {
            $err_msg = mysqli_error($this->dbconn);

            return false;
        } else {
            return $result;
        }
    }

    return false;
}
于 2012-05-23T21:29:22.080 回答