下面的代码在防止 MySQL 数据库上的 SQL 注入方面是否更好mysqli_real_escape_string
?
$str = "SELECT * FROM customers WHERE username = '; DELETE FROM customers WHERE 1 or username = '";
$str2 = "";
for($i = 0; $i < strlen($str); $i++)
{
if (strpos ("abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ,.?!0123456789", $str[$i], 0) !== FALSE)
{
$str2 = $str2 . $str[$i];
}
}
echo "$str2";