可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

This question already has an answer here:

Do htmlspecialchars and mysql_real_escape_string keep my PHP code safe from injection? 6 answers

I'm trying to come up with a way to effectively easily clean all POST and GET variables with a single function. Here's the function itself:

//clean the user's input
function cleanInput($value, $link = '')
{
    //if the variable is an array, recurse into it
    if(is_array($value))
    {
        //for each element in the array...
        foreach($value as $key => $val)
        {
            //...clean the content of each variable in the array
            $value[$key] = cleanInput($val);
        }

        //return clean array
        return $value;
    }
    else
    {
        return mysql_real_escape_string(strip_tags(trim($value)), $link);
    }
}

And here's the code that would call it:

//This stops SQL Injection in POST vars
foreach ($_POST as $key => $value)
{
    $_POST[$key] = cleanInput($value, $link);
}

//This stops SQL Injection in GET vars
foreach ($_GET as $key => $value)
{
    $_GET[$key] = cleanInput($value, $link);
}

To me this seems like it should work. But for some reason it won't return arrays from some checkboxes I have in a form. They keep coming out blank.

I've tested my code without the above function and it works fine, I just want that added bit of security in there.

Thanks!

回答1:

What you're doing isn't enough. See here.

回答2:

Use filter_input if possible (php5 +) It keeps it a lot cleaner and as far as im aware you can sanitise and validate everything you could need using it.

You can use filter var array and for example FILTER_SANITIZE_STRING flag to filter the whole post array

filter_var_array($_POST, FILTER_SANITIZE_STRING) //just an example filter

There are loads of different filter options available on the w3schools filter reference

回答3:

to make the recursion more elegant you could use something like array_map for example:

$_POST = array_map('mysql_real_escape_string',$_POST);

Use filter var if you can though as these kind of approaches are generally bad, just an example though ;)

回答4:

unchecked checkboxes are not sent to the server.

you may use array_walk_recursive to do what you want

回答5:

This is the wrong way to go about cleaning input.

Applying blanket mysql escaping to absolutely everything in $_POST and $_GET is going to come back and bite you, if you still want to use the data after you've made a database query but you don't want the escape characters in there.

Use parameterised queries with mysqli or PDO and you will never need to use mysql_real_escape_string().