您的位置: 首页  >  技术问答  >  编辑2 - PHP函数来清理和转义动态MySQL中使用的任何变量 - 我的代码

编辑2 - PHP函数来清理和转义动态MySQL中使用的任何变量 - 我的代码

分类: 技术问答 2022-03-09 23:28:26
问题描述:

I needed a generic function in php that will properly clean and escape any variable used in a Dynamic MySQL Statement. For example MySQL is vulnerable to random user - inserted data. Any sample code , or links are highly appreciated.

Edit 1- I did follow the links posted below. I still feel a concrete example would help.The requirement at work is to have a function which ma look like below:

function MySQLClean($string){
    // Contentns
    return string; 
}

My questions are

  1. What characters should this function escape for mysql . I know a few like ' ^ etc
  2. What characters should be removed i.e cleaned ?. This should be generic rather than databsae specific.
  3. How do I test it ? - Do , I pass in each string that make up my query to this function before executing the query or do I pass in the entire query to this function , split them into tokens and then clean/escape each character in the tokenized string and return it by joining it together.

An example of a Before and After "Escaping and Cleaning" the query string will be highly appreciated.

If this explanation seems vague and unspecific - that pretty much sums up my understanding of how to clean and validate the data. I will however be glad to provide any further details.

Edit 2 - After reading some material on the net and following the link in the given below answers - I have the below following function 

function MySQLClean($string)
{
 if(get_magic_quotes_gpc()){

    $string = stripslashes($string); 

 }

 return addcslashes(mysql_real_escape_string($string),"%_");
}

Is this sufficient?

我需要 php code>中的通用函数,它将正确清理并转义任何用于的变量 动态MySQL声明。 例如,MySQL易受随机用户插入数据的影响。 任何示例代码或链接都受到高度赞赏。 p>

编辑1-我确实按照下面发布的链接。 我仍然觉得一个具体的例子会有所帮助。工作中的要求是有一个如下所示的函数: p> 

  function MySQLClean($ string){
 // Contentns  
返回字符串;  
} 
  code>  pre> 
 
 
我的问题是 p> 
 
 


  1. 此函数应该为mysql转义哪些字符。 我知道一些像'^  code>等 li> 
 
  2. 应删除哪些字符,即清理? 这应该是通用的而不是databsae特定的。 li> 
 
    3. 

  3. 我该如何测试它?  - 在执行查询之前,我将构成查询的每个字符串传递给此函数,或者将整个查询传递给此函数,将它们拆分为标记,然后清除/转义标记化字符串中的每个字符并返回它 通过加入它们。   li> 
  ol> 
 
 
    高度赞赏查询字符串之前和之后“逃避和清理”的示例。 p> 
 
 
    

    如果这样 解释似乎模糊不清 - 这几乎总结了我对如何清理和验证数据的理解。 不过,我很乐意提供任何进一步的细节。   p> 
 
 
    

     编辑2  code>  - 在阅读网上的一些资料并按照下面给出的答案中的链接后 - 我有以下功能 p> 
  
 
      function MySQLClean($ string)
 {
 if if(get_magic_quotes_gpc()){
 
 $ string = stripslashes($ string);  
 
} 
 
返回addcslashes(mysql_real_escape_string($ string),“%_”); 
} 
  code>  pre> 
 
 
    这是否足够?   p> 
  div>
    

    4.

Ok, since you've edited your question and I better understand what you're trying to do, let me say this:

Don't Do It!

You will run into problems with the character set of the connection, differing collations, etc. There are a fair number of edge cases that you will likely miss and still be vulnerable with. For one example of an edge case, check out Chris Shiflett's Blog Post...

If you're writing a DB abstraction layer and want to create a uniform interface, call the database's escape method in the driver layer. Don't try to write your own escape mechanism since it will not be nearly as good as the in-built one, and will not be kept up to date as well either...

If you use prepared statements, your data will be cleaned and help prevent SQL injection attacks.

相关推荐