使用php清理搜索查询
[英]Sanitize search query with php
问题描述
When a user searches on my site, I grab the get request and do a mysql query against it. 
当用户在我的网站上搜索时,我会获取get请求并对其进行mysql查询。 My original code looked something like this: $q = $_GET['q']; 我的原始代码看起来像这样: $q = $_GET['q']; . 。
Right now urldecode is adding slashes for me, but I decided to aslo try filter_var with the santize string filter. 现在urldecode正在为我添加斜杠,但我决定尝试使用santize字符串过滤器过滤器。
Here is my sql when I use $q = urldecode($_GET['q']); 当我使用$q = urldecode($_GET['q']);时,这是我的sql $q = urldecode($_GET['q']); : :
SELECT * FROM item WHERE title LIKE '%you\'re%' OR description LIKE '%you\'re%' ORDER BY date DESC
and here is my sql when I use: q = filter_var(urldecode($_GET['q']), FILTER_SANITIZE_STRING); 当我使用时,这是我的sql: q = filter_var(urldecode($_GET['q']), FILTER_SANITIZE_STRING);
SELECT * FROM item WHERE title LIKE '%you\'re%' OR description LIKE '%you\'re%' ORDER BY date DESC
The sql is exactly the same, but I get different results and I'm not sure why? sql是完全一样的,但我得到不同的结果,我不知道为什么? Just using urldecode returns the correct results from the database, but filter_var returns nothing (even though the sql is the same). 只是使用urldecode从数据库返回正确的结果,但filter_var什么都不返回(即使sql是相同的)。
I guess my question is, is what's the best way to sanitize and search query string? 我想我的问题是,清理和搜索查询字符串的最佳方法是什么?
4 个解决方案
解决方案1
4 2010-11-17 01:11:17
Urldecode is the wrong function to use - PHP will automatically decode any variables in $_GET so you don't need to, and the PHP Manual says doing so is dangerous . Urldecode是错误的函数 - PHP将自动解码$ _GET中的任何变量,因此您不需要,而且PHP手册说这样做是危险的 。
Often people talk about sanitizing input, but I prefer to think about sanitizing output. 人们经常谈论消毒输入,但我更愿意考虑消毒输出。
For example, sanitizing input would be: 例如,清理输入将是:
$q = urldecode($_GET['q']);
$sql = "SELECT * FROM item WHERE title LIKE '%{$q}%'"
// later
echo "These items match '$q'";
And sanitizing output: 消毒产量:
$sql = "SELECT * FROM item WHERE title LIKE '%".mysql_real_escape_string($_GET['q'])."%'"
// later
echo "These items match '".htmlspecialchars($_GET['q']).'";
Notice how in the latter example I've used different functions - one for converting the data into a mysql safe format, the other for converting the data into an HTML safe format. 请注意,在后一个示例中,我使用了不同的函数 - 一个用于将数据转换为mysql安全格式,另一个用于将数据转换为HTML安全格式。 You can't know which function you want to run until you know what you're doing with the data. 在知道对数据执行的操作之前,您无法知道要运行哪个函数。
Others have mentioned parameterised queries. 其他人提到了参数化查询。 Yes, these are about as secure as you can get and avoid accidental errors, but are not easy to switch to overnight. 是的,这些都是尽可能安全,避免意外错误,但不容易在一夜之间切换。
解决方案2
3 2010-11-16 23:36:20
Don't try to sanitize your data. 不要试图清理您的数据。
Use parametrized queries. 使用参数化查询。
See http://bobby-tables.com/php.html for examples. 有关示例,请参见http://bobby-tables.com/php.html 。
解决方案3
0 2013-01-18 11:54:03
最好的变种是使用php Sanitize过滤器http://php.net/manual/en/filter.filters.sanitize.php ,
解决方案4
0 2010-11-16 23:27:59
我会做:
$q = mysql_real_escape_string( stripslashes( $_GET['q'] ) );
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.