Home >Backend Development >PHP Tutorial >Do you still need to filter user input when using PDO?
How to filter if used?
How to filter if used?
Simple filtering is definitely needed, such as data length, data type, etc., all need to be filtered. PDO only solves the problem of SQL injection. Other program logic problems must be solved by yourself.
It is better to filter it, although PDO
preprocessing can prevent SQL
injection. I won’t go into the processing of simple characters like intval
;trim
. Filtering mainly takes into account some special characters. Here is one of my methods for processing characters. You can refer to it. I hope it will be helpful to you
<code>/** * description 过滤转义POST|GET的数据 */ function isEscape($val, $isboor = false) { if (! get_magic_quotes_gpc ()) { $val = addslashes ( $val ); } if ($isboor) { $val = strtr ( $val, array ( "%" => "\%", "_" => "\_" ) ); } return $val; }</code>
php version<=5.3.6 I set up setAttribute(PDO::ATTR_EMULATE_PREPARES, false) for local testing and still processed prepare locally. I don’t know if it was a problem with my testing. I tested two php versions, php 5.2. 3/5.2.17
The pit must be filtered! Also filter xss etc.
For example, XSS