脚本的这一部分从sql注入安全吗？

Question

Is this part of the script is safe from sql injections? Because i used this

foreach(array_keys($_POST) as $key)
{
  $clean[$key] = mysql_real_escape_string(trim($_POST[$key]));
}

the guide of web said it should work more effectively and faster.

<?
    session_start();
    include("db.php");

    if(empty($_POST['token']) || $_POST['token'] !== $_SESSION['token']){
      exit("Error!");
    }
    unset($_SESSION['token']);


    foreach(array_keys($_POST) as $key)
    {
      $clean[$key] = mysql_real_escape_string(trim($_POST[$key]));
    }
    $name=$clean['name'];
    $country=$clean['country'];
    $ip=$clean['ip'];
    $map=$clean['map'];

Thanks for any help.

Answer 1

Yes, this is save in case you put it in quotes (in mysql query).. However, I'd change foreach to

foreach($_POST as $key => $value)
{
  $clean[$key] = mysql_real_escape_string(trim($value));
}

Answer 2

如果要轻松防止SQL注入并养成良好的习惯，则应使用PDO或mysqli检查参数化查询 。