Home > Backend Development > PHP Tutorial > Do you still need to filter user input when using PDO?

Do you still need to filter user input when using PDO?

WBOY
Release: 2016-07-06 13:53:24
Original
1045 people have browsed it

How to filter if used?

Reply content:

How to filter if used?

Simple filtering is definitely needed, such as data length, data type, etc., all need to be filtered. PDO only solves the problem of SQL injection. Other program logic problems must be solved by yourself.

It is better to filter it, although PDO preprocessing can prevent SQL injection. I won’t go into the processing of simple characters like intval;trim. Filtering mainly takes into account some special characters. Here is one of my methods for processing characters. You can refer to it. I hope it will be helpful to you

<code>/**
 * description 过滤转义POST|GET的数据
 */
function isEscape($val, $isboor = false) {
    if (! get_magic_quotes_gpc ()) {
        $val = addslashes ( $val );
    }
    if ($isboor) {
        $val = strtr ( $val, array (
                "%" => "\%",
                "_" => "\_" 
        ) );
    }
    return $val;
}</code>
Copy after login

php version<=5.3.6 I set up setAttribute(PDO::ATTR_EMULATE_PREPARES, false) for local testing and still processed prepare locally. I don’t know if it was a problem with my testing. I tested two php versions, php 5.2. 3/5.2.17

The pit must be filtered! Also filter xss etc.

For example, XSS

Related labels:
php
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template