mysql_real_escape_string()对于$ _SESSION变量是否必要?
[英]mysql_real_escape_string() for $_SESSION variables necessary?
问题描述
Should I use the mysql_real_escape_string() function in my MySQL queries for $_SESSION variables? 
我应该在MySQL查询中使用mysql_real_escape_string()函数来获取$_SESSION变量吗? Theoretically, the $_SESSION variables can't be modified by the end-user unlike $_GET or $_POST variables right? 从理论上讲,最终用户不能修改$_SESSION变量,这与$_GET或$_POST变量不同吗?
Thanks :) 谢谢 :)
4 个解决方案
解决方案1
4 已采纳 2010-01-23 07:51:23
Regardless of whether the user can modify the data, you probably want to escape it anyway in case you ever need the data to contain characters that would break the SQL (quotes, etc). 无论用户是否可以修改数据,您都可能想要转义它,以防您需要数据包含会破坏SQL的字符(引号等)。
Better yet, use bound parameters and you won't have to worry about it. 更好的是,使用绑定参数,您不必担心它。
解决方案2
4 2010-01-23 07:56:12
Do not escape/quote/encode text until you're at the point where you need it. 在您需要它之前,不要转义/引用/编码文本。 Internal representations should be as "raw" as possible. 内部陈述应尽可能“原始”。
解决方案3
3 2010-01-23 07:58:29
You can answer the question yourself by following this line of reasoning: 您可以按照以下推理方式自行回答问题:
Did the value in $_SESSION originate from user input? $ _SESSION中的值是否源自用户输入?
If so, has it been sanitized already? 如果是这样,它已经消毒了吗?
解决方案4
1 2010-01-23 10:26:13
Theoretically, the $_SESSION variables can't be modified by the end-user
No, but the data must have come from somewhere. 不,但数据必须来自某个地方。
You should escape any output from PHP, using the appopriate method for the destination at the point at which it leaves PHP. 您应该从PHP中转义任何输出,在它离开PHP时使用适当的方法作为目标。
C. C。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.