我已经在我的网站的每个页面上的任何其他东西之前运行的类进行了清理。我非常确定addslashes与使用mysql_real_escape_string转义类继承相同。这个php代码保护我从SQL注入和XSS?
class sanatize
{
private static $singleton;
function __construct(){
$_CLEAN_POST = array();
$_CLEAN_GET = array();
$_CLEAN_REQUEST = array();
foreach($_REQUEST as $key => $value)
{
$key = addslashes(trim(strip_tags($key)));
$value = addslashes(trim(strip_tags($value)));
$_CLEAN_REQUEST[$key] = $value;
}
foreach($_GET as $key => $value)
{
$key = addslashes(trim(strip_tags($key)));
$value = addslashes(trim(strip_tags($value)));
$_CLEAN_GET[$key] = $value;
}
foreach($_POST as $key => $value)
{
if(is_array($value)){
foreach($value as $key2 => $value2){
$key2 = addslashes(trim(strip_tags($key2)));
$value2 = addslashes(trim(strip_tags($value2)));
$_CLEAN_POST[$key][$key2] = $value2;
}
}
else{
$key = addslashes(trim(strip_tags($key)));
$value = addslashes(trim(strip_tags($value)));
$_CLEAN_POST[$key] = $value;
}
}
$_POST = array();
$_GET = array();
$_REQUEST = array();
$_POST = $_CLEAN_POST;
$_GET = $_CLEAN_GET;
$_REQUEST = $_CLEAN_REQUEST;
}
function __destruct()
{
//echo "cleaned";
}
public static function getInstance()
{
if(is_null(self::$singleton))
{
self::$singleton = new sanatize();
}
return self::$singleton;
}
}
,然后我会用
$sanatize = sanatize::getInstance();
'和addslashes()'不相同的方式工作的'mysql_real_escape_string()' – stillstanding 2010-11-10 04:51:00
这仅仅是一个坏主意各地。它不等同于mysql_real_escape_string,并且您不希望在每个请求中为每个变量添加斜杠 - 它们并不都是进入数据库查询,并且您可能想要更改或显示其中一些值。 – 2010-11-10 04:58:43
@你能否详细说明一下? – Brian 2010-11-10 04:58:55