如何清理这个特定的mysql查询?
[英]How to sanitize this particular mysql query?
问题描述
i got this SQL query where post_title taken from $_GET 
我收到此SQL查询,其中post_title从$ _GET中获取
$sql = "SELECT ID FROM posts WHERE posts.post_title = '5-design-web-colourful'";
What is the best way to sanitize this and make it more safe ? 对此进行消毒并使其更安全的最佳方法是什么?
EDIT : (as requested) I'm trying to create a plugin that work to hide a particular category (named private) and all of its post for every non-logged guest. 编辑:(按要求)我正在尝试创建一个插件,该插件可为每个未记录的来宾隐藏特定类别(命名为private)及其所有帖子。 i have hook into 'pre_get_posts' and 'posts_selection' able to control how to show particular posts and category for admin, the member who wrote them, other member, and guest. 我已经钩入“ pre_get_posts”和“ posts_selection”,它们能够控制如何显示管理员的特定帖子和类别,编写这些帖子的成员,其他成员以及来宾。
The category must be non exist. 该类别必须不存在。 so it can not be shown on cat archive page in front end. 因此它不能显示在前端的cat存档页面上。
I know it's not relatedto the question cause what iask just how to sanitize name / title of a post. 我知道这与问题无关,只是如何清理帖子的名称/标题。 nothing more. 而已。
2 个解决方案
解决方案1
3 已采纳 2010-03-29 07:40:34
假设您使用MySQL,请使用mysql_real_escape_string 。
解决方案2
3 2010-03-29 07:57:24
While this doesn't directly answer your question, the better approach is to use bind parameters. 虽然这不能直接回答您的问题,但是更好的方法是使用绑定参数。 This protects you from all attack vectors of this category. 这样可以保护您免受此类攻击的所有侵害。
http://php.net/manual/en/pdo.prepared-statements.php http://php.net/manual/zh/pdo.prepared-statements.php
http://www.php.net/manual/en/pdostatement.bindparam.php http://www.php.net/manual/zh/pdostatement.bindparam.php
For your example: 例如:
$sth = $dbh->prepare("select id from $wpdb->posts where $wpdb->posts.post_title = ?");
$sth->bindParam(1, $str);
$sth->execute();
CAUTION: This assumes that $wpdb is safe! 注意:这假定$ wpdb是安全的!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.