开发者

Is this smart or no?

Is it ok to use this code to trim and escape all post´s in my register function? or is it better practice to trim and escape each and every inputs

// Trim and sanitize our input
$_POST = array_map('trim'开发者_JAVA技巧, $_POST);
$_POST = array_map('mysql_real_escape_string', $_POST);

if (invalidinput) dostuff
else insert into user (username,passwd) values ('{$_POST['username']}','{$_POST['passwd']}')


No, because:

  1. It doesn't work for multi-dimensional arrays.
  2. You might not use every single $_POST value as a DB parameter and thus 3).
  3. It can be unnecessarily slow.
  4. mysql_real_escape_string() might need the $link_identifier argument.

Point #1 can be worked out with a custom recursive function, at the expense of being even more slow.


No.

You shouldn't be escaping in the first place. You should be using bound parameters.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜