可能重复: 如何在mysql插入语句中包含PHP变量
如何使用此函数清除从URL中提取的变量?假设我有$id变量,它是从"www.mydomain.com/single-page?id=534"中提取的,我想在MySQL select语句中使用它之前让它变得安全.
<?php
class SecureSqlInjection
{
function specificData($val)
{
$val = htmlspecialchars(stripslashes(trim($val)));
$val = str_ireplace("script", "blocked", $val);
$val = mysql_escape_string($val);
return $val;
}
function secureSuperGlobalGET(&$value, $key)
{
if(!is_array($_GET[$key]))
{
$_GET[$key] = htmlspecialchars(stripslashes($_GET[$key]));
$_GET[$key] = str_ireplace("script", "blocked", $_GET[$key]);
$_GET[$key] = mysql_real_escape_string($_GET[$key]);
}
else
{
$c=0;
foreach($_GET[$key] as $val)
{
$_GET[$key][$c] = mysql_real_escape_string($_GET[$key][$c]);
$c++;
}
}
return $_GET[$key];
}
function secureSuperGlobalPOST(&$value, $key)
{
if(!is_array($_POST[$key]))
{
$_POST[$key] = htmlspecialchars(stripslashes($_POST[$key]));
$_POST[$key] = str_ireplace("script", "blocked", $_POST[$key]);
$_POST[$key] = mysql_real_escape_string($_POST[$key]);
}
else …