问题
I was wondering is it possible to just my_sql_escape string the whole $_POST and $_GET array so you dont miss any variables?
Not sure how to test it or I would've myself. Thanks!
回答1:
I would use the array_walk() function. It's better suited because modifies the POST superglobal so any future uses are sanitized.
array_walk_recursive( $_POST, 'mysql_real_escape_string' );
However, make sure that you don't rely on this line to completely protect your database from attacks. The best protection is limiting character sets for certain fields. Ex. Email's don't have quotes in them (so only allow letters, numbers, @, dashes, etc.) and names don't have parenthesis in them (so only allow letters and selected special characters)
EDIT: Changed array_walk() to array_walk_recursive() thanks to @Johan's suggestion. Props to him.
回答2:
$escaped_POST = array_map('mysql_real_escape_string', $_POST);
Though, I would recommend using MySQLi instead.
回答3:
you can use
foreach(array_keys($_POST) as $key)
{
$clean[$key] = mysql_real_escape_string($_POST[$key]);
}
and after this to access post data use echo $clean['name'];
回答4:
Try This
foreach(array_keys($_GET) as $key){ $_GET[$key] = mysql_real_escape_string($_GET[$key]);}
foreach(array_keys($_POST) as $key){ $_POST[$key] = mysql_real_escape_string($_POST[$key]);}
To mysql_real_escape_string Whole
来源:https://stackoverflow.com/questions/4665350/mysql-escape-string-whole-post-array