Cha*_*aim 4 php mysql serialization sanitization
如果我将序列化数组存储到mysql数据库,我应该在使用serialize函数之前或之后进行清理.或者我甚至需要消毒?
例如:
$details['name'] = mysql_real_escape_string($_POST['name']);
$details['email'] = mysql_real_escape_string($_POST['email']);
$details['phone'] = mysql_real_escape_string($_POST['phone']);
$serializedDetails = serialize($details);
// Do SQL query
要么
$details['name'] = $_POST['name'];
$details['email'] = $_POST['email'];
$details['phone'] = $_POST['phone'];
$serializedDetails = mysql_real_escape_string(serialize($details));
或者也许在第二个我可以简单地做:
$serializedDetails = serialize($details);
mysql_real_escape_string处理可能带引号/斜杠的字符串时始终使用.如果不这样做,您将遭到破坏/恶意查询.输出serialize()有时会有引号/斜杠,所以你应该使用它.但是,不需要预先序列化数组的每个项目.
$details['name'] = $_POST['name'];
$details['email'] = $_POST['email'];
$details['phone'] = $_POST['phone'];
$serializedDetails = mysql_real_escape_string(serialize($details));
举个例子:序列化"你好"会给你:s:5:"hello".
$data = 's:5:"hello"';
$query = 'INSERT INTO tbl (data) VALUES ("' . $data . '")';
// leads to a syntax error from mysql
// (plus it's a huge security hole)
mysql_query($query);
| 归档时间: |
|
| 查看次数: |
2833 次 |
| 最近记录: |