我的php CRUD类中有以下方法:
//secure search method
function secureInput($ary = array()){
$this->connect();
$securedArray = array();
//print_r($ary);
foreach($ary as $val){
//echo($val.'<br />');
$val = str_replace("'","",$val);
$val = str_replace("#","",$val);
$val = str_replace("~","",$val);
$val = str_replace("!","",$val);
$val = str_replace("%","",$val);
$val = str_replace("*","",$val);
$val = str_replace("drop","",strtolower($val));
$val = str_replace("show","",strtolower($val));
$val = str_replace("insert","",strtolower($val));
$val = str_replace("create","",strtolower($val));
$val = str_replace("update","",strtolower($val));
$val = str_replace("select","",strtolower($val));
$val = str_replace('"',"",$val);
$val = str_replace("+","",$val);
$val = str_replace(";","",$val);
$val = mysql_real_escape_string($val);
$securedArray[] = $val;
}
return $securedArray;
}
我想使用以下代码来获取输入并返回干净输入(黑客xss证明输入),然后将其用于我的数据库查询,如插入更新和检索等
require_once('classes/classes.php');
$crud = new CRUD();
$ar = array("Shah Hussai#n","shahhus';sai;'n3#05@xyz.com","",234);
$name = "";$email = "";$empty ="";$int = "";
$ary = $crud->secureInput($ar);
if(!isset($ary[0]) || empty($ary[0])){
echo("Please provide your name<br />");
}
else{
//update variables here
$name = $ary[0];
$email = $ary[1];
$empty = $ary[2];
$int = $ary[3];
}//if
echo $sql = "INSERT INTO tbl(name,email...) values($name,$email,$empty,$int)";
现在我不确定这是否会保护我的代码免受黑客Cross Scripting和sql注入尝试?或者我应该做些别的事情来安全地接受输入?
提前致谢