I have to remove hazardous chracter from my query post string. Is there any function define in开发者_运维知识库 php to remove directly or another way ?
First thing first what do you use these strings for ?
- If you store them in a database : use parameterized queries (use mysqli or PDO instead of mysql).
- If you display them in a webpage : use htmlspecialchar to filter HTML code
- If you use it to redirect the user to some page : filter \n and \r character
- If you use it to send emails : filter \n and \r characters too
- If you want to avoid CSRF : don't forget to check the random token you'll have put in your form
- If you use it to get the path to a file on your system : don't
- Whatever you do, don't forget to use the filter_input function to get your data as it handle the magic_quotes
Don't forget to check the OSWAP top 5
I hope you aren't putting sql queries into a GET string... but whatever.
If this is for a query, use mysql_real_escape_string
.
In normally for this, we can use addslashes
and stripslashes
in php.
But better method is to use mysql_real_escape_string
for query to avoid this type of sql injection.
Filter the input?
Use strip_tags()
, htmlspecialchars()
and htmlentities()
.
精彩评论