PHP sql对待特殊字符
[英]PHP sql treat special characters
问题描述
$sql = "INSERT INTO golf (datum, odkud, odjezd ) VALUES ('$datum', '$odkud', '$odjezd')";
if(!mysqli_query($connection,$sql)) {
echo '<p class="error">Záznam nebyl vložen</p>';
} else {
header ("location :/golf");
}
Hello, I am working on my thesis to school. 
您好,我正在写毕业论文。 I have this code and my supervisor keeps telling me to "treat special characters". 我有此代码,我的主管不断告诉我“处理特殊字符”。 How do I do that? 我怎么做? He only saw the code I showed you. 他只看了我给你看的代码。
2 个解决方案
解决方案1
1 2018-04-14 12:20:31
User input MUST be sanitized prior to insertion, you'll be opening a door into your server otherwise. 用户输入的内容必须在插入之前进行清理 ,否则,您将为服务器打开一扇门。
You also need to validate the input. 您还需要验证输入。 What I normally do, is create a series of regex to validate each field individually, or use one of the available php validate filters . 我通常要做的是创建一系列正则表达式来分别验证每个字段,或使用可用的php validate过滤器之一 。
Remember, you can - and should - do client side validation , which is great to reduce server load, but has 0 value as a security measure because it can be easily faked. 请记住,您可以并且应该执行客户端验证 ,这对于减少服务器负载非常有用,但由于它很容易被伪造,因此它的安全性值为0。 server side validation is the most important as it's your last line of defense . 服务器端验证是最重要的,因为这是您的最后一道防线 。
Don't take user input lightly, tons of servers get hacked due to bad or nonexistent user input sanitization. 不要轻视用户的输入,由于不良或不存在用户输入清理功能,大量服务器被黑客入侵。
To directly answer your question, mysqli_real_escape_string() is your friend to escape special characters , ie: 为了直接回答您的问题, mysqli_real_escape_string()是您转义特殊字符的朋友,即:
$odjezd = mysqli_real_escape_string($connection, $odjezd)
Characters encoded are NUL (ASCII 0), \\n, \\r, \\, ', ", and Control-Z.
Update: 更新:
I have used mysqli_real_escape_string and i am still able to submit "a{b}c'=%" I would like it to remove spec.characters and just input abc...how?
Let's assume that $odkud can only contain letters or digits and be 5 chars long only to validate, we can use preg_match() as validator, ie: 假设$odkud只能包含字母或数字,并且只有5个字符,仅用于验证,我们可以使用preg_match()作为验证器,即:
$id = $_REQUEST['id'];
if (preg_match('/^[a-z\d]{5}$/i', $odkud)) {
# Successful match
} else {
# Match attempt failed
}
Live Regex Example & Explanation Live Regex示例与说明
If you just need to remove the special characters use one of the php filters mentioned above or preg_replace , ie: 如果只需要删除特殊字符,请使用上面提到的php过滤器之一或preg_replace ,即:
$odkud_filtered = preg_replace('/[^a-z\d]/i', '', $odkud);
# abc
解决方案2
1 2018-04-14 12:45:25
your supervisor just ask you to treat special characters 😊. 您的主管只要求您对待特殊字符😊。 For that @Pedro's answer is enough. 为此,@ Pedro的答案就足够了。
$odjezd = mysqli_real_escape_string($connection, $odjezd) // copied from @Pedro’s answer
But if you need more validation, you can check the format of the date is correct? 但是,如果需要更多验证,可以检查日期格式是否正确?
$test_arr = explode('/', $POST[‘date’]);
if (count($test_arr) == 3) {
if (checkdate($test_arr[0], $test_arr[1], $test_arr[2])) {
// valid date ...
} else {
// problem with dates ...
}
} else {
// problem with input ...
}
Likewise you can validate your data according to your required way. 同样,您可以根据所需方式验证数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.