问题
Possible Duplicate:
Best way to stop SQL Injection in PHP
The ultimate clean/secure function
My website was attacked via sql injection and now I need to improve it. I'm creating a function in PHP escape(), that returns the escaped version of a string. I'm not a hacker so please help me to improve my escape function. Here is the current version:
function escape($string){
$string = stripslashes($string);
$string = mysql_real_escape_string($string);
$string = strip_tags($string);
$string = str_replace('%','',$string);
$string = str_replace('_','',$string);
return $string;
}
My question is: is this hackable, if it is than how to fix it? Thanks!
回答1:
this function has absolutely nothing to do with safety.
it's barely protects you from some kinds of XSS injections. that's all.
来源:https://stackoverflow.com/questions/9957401/is-my-escape-function-really-safe