Home >Backend Development >PHP Tutorial >Do you still need to filter user input when using PDO?

Do you still need to filter user input when using PDO?

WBOY
WBOYOriginal
2016-07-06 13:53:241036browse

How to filter if used?

Reply content:

How to filter if used?

Simple filtering is definitely needed, such as data length, data type, etc., all need to be filtered. PDO only solves the problem of SQL injection. Other program logic problems must be solved by yourself.

It is better to filter it, although PDO preprocessing can prevent SQL injection. I won’t go into the processing of simple characters like intval;trim. Filtering mainly takes into account some special characters. Here is one of my methods for processing characters. You can refer to it. I hope it will be helpful to you

<code>/**
 * description 过滤转义POST|GET的数据
 */
function isEscape($val, $isboor = false) {
    if (! get_magic_quotes_gpc ()) {
        $val = addslashes ( $val );
    }
    if ($isboor) {
        $val = strtr ( $val, array (
                "%" => "\%",
                "_" => "\_" 
        ) );
    }
    return $val;
}</code>

php version<=5.3.6 I set up setAttribute(PDO::ATTR_EMULATE_PREPARES, false) for local testing and still processed prepare locally. I don’t know if it was a problem with my testing. I tested two php versions, php 5.2. 3/5.2.17

The pit must be filtered! Also filter xss etc.

For example, XSS

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:Questions about ob_start.Next article:Questions about ob_start.