Is this smart or no?
Is it ok to use this code to trim and escape all post´s in my register function? or is it better practice to trim and escape each and every inputs
// Trim and sanitize our input
$_POST = array_map('trim'开发者_JAVA技巧, $_POST);
$_POST = array_map('mysql_real_escape_string', $_POST);
if (invalidinput) dostuff
else insert into user (username,passwd) values ('{$_POST['username']}','{$_POST['passwd']}')
No, because:
- It doesn't work for multi-dimensional arrays.
- You might not use every single
$_POST
value as a DB parameter and thus 3). - It can be unnecessarily slow.
mysql_real_escape_string()
might need the$link_identifier
argument.
Point #1 can be worked out with a custom recursive function, at the expense of being even more slow.
No.
You shouldn't be escaping in the first place. You should be using bound parameters.
精彩评论