发表新帖
发表新帖

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection?

前端 未结
关注
6 1181
离开以前
离开以前 2020-11-22 04:01

Earlier today a question was asked regarding input validation strategies in web apps.

The top answer, at time of writing, suggests in PHP just using

6条回答
  • 有刺的猬
    有刺的猬 (楼主)
    2020-11-22 04:37

    why, oh WHY, would you not include quotes around user input in your sql statement? seems quite silly not to! including quotes in your sql statement would render "1 or 1=1" a fruitless attempt, no?

    so now, you'll say, "what if the user includes a quote (or double quotes) in the input?"

    well, easy fix for that: just remove user input'd quotes. eg: input =~ s/'//g;. now, it seems to me anyway, that user input would be secured...

    0 讨论(0)
 看不清?
提交回复
热议问题