0
我有一個clean_string函數應用於我的應用程序中的文本條目,但我擔心它太過分了。用單引號或雙引號向數據庫提交文本會導致打印出奇怪的字符。clean_string函數過於激進
clean_string功能
<?php
/*
ini_set('display_errors', 1);
error_reporting(E_ALL);
*/
function clean_string($string) {
$string = trim($string);
$string = utf8_decode($string);
$string = str_replace("#", "#", $string); $string = str_replace("%", "%", $string);
if (mysql_real_escape_string($string)) {
$string = mysql_real_escape_string($string);
}
if (get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return htmlentities($string);
}
?>
輸入文本,如 「你好」 或 '世界' 到下面的文本字段的結果: 
的clean_string函數被調用如下:
//Clean
if ($submit == 'Submit') {
$submit = clean_string($_POST['submit']);
require_once("db_connect.php");
$watchlist_name = clean_string($_POST['watchlist-name']);
$watchlist_description = clean_string($_POST['watchlist-description']);
$watchlist_category = $_POST['watchlist-category'];
$existing_watchlist_name = clean_string($_POST['existing-watchlist']);
$addWatchlist_bad_message = '';
$addWatchlist_good_message = '';
if ($db_server) {
// Add new Watchlisth
if (!empty($watchlist_name)) {
$watchlist_name = clean_string($watchlist_name);
$watchlist_description = clean_string($watchlist_description);
mysql_select_db($db_database);
// Create new Watchlist
$insert_new_watchlist = "INSERT INTO watchlists (user_id, name, description, category) VALUES ('$user_id', '$watchlist_name', '$watchlist_description', '$watchlist_category')";
mysql_query($insert_new_watchlist) or die("Insert failed. " . mysql_error() . "<br />" . $insert_new_watchlist);
// Insert film into new Watchlist
$add_new_film = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES (" . mysql_insert_id() .", '$rt_id')";
mysql_query($add_new_film) or die("Insert failed. " . mysql_error() . "<br />" . $add_new_film);
$addWatchlist_good_message = '<div class="alert alert-success">Watchlist created successfully, and film added!</div>';?>
<script>
$('a.add-watchlist').trigger('click');
</script><?php
} else if (!empty($existing_watchlist_name)) {
mysql_select_db($db_database);
// Select existing Watchlist
$existing_watchlist_select = "SELECT watchlist_id FROM watchlists WHERE name = '$existing_watchlist_name'";
$existing_watchlist_select_result = mysql_query($existing_watchlist_select);
$existing_watchlist_id = mysql_result($existing_watchlist_select_result, 0);
// Add film to existing Watchlist
$insert_into_existing = "INSERT INTO watchlist_films (watchlist_id, film_id) VALUES ('$existing_watchlist_id', '$rt_id')";
mysql_query($insert_into_existing) or die("Insert failed. " . mysql_error() . "<br />" . $insert_into_existing);
$addWatchlist_good_message = '<div class="alert alert-success">Film successfully added to existing Watchlist!</div>';?>
<script>
$('a.add-watchlist').trigger('click');
</script><?php
}
} else {
$addWatchlist_bad_message = '<div class="alert alert-error">Error: could not connect to the database.</div.';?>
<script>
$('a.add-watchlist').trigger('click');
</script><?php
}
require_once("db_close.php");
}
如果切換到PDO或mysqli_ *堆棧,這些問題幾乎消失。你不需要擔心sql注入,因爲函數會自動處理它。只是我的建議。我會看看http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers – Alex 2013-03-24 17:25:36
@Alex感謝您的建議,但我的項目很快就會提交,我真的沒有時間或編碼知識來徹底檢查整個事情!我聽說過幾次PDO或mysqli更好,但不幸的是,這不是我現在可以在一分鐘內實現的。雖然我想,因爲它看起來好多了,我幾乎可以用我所得到的東西來工作! – 2013-03-24 17:27:21
嗯,我不是100%確定的,但是我在使用mysql時從未使用過clean_string。我總是使用mysql_real_escape_string,我不記得有你遇到的問題。所以嘗試用mysql_real_escape_string()切換clean_string()並查看是否解決了這個問題。如果它不讓我知道。 – Alex 2013-03-24 17:33:24