The server uses mysql_real_escape_string to clean the client data bitsCN.com.
Because mysql_real_escape_string requires MySQL database connection, you must connect to the MySQL database before calling mysql_real_escape_string.
PHP:
Function mysqlClean ($ data)
{
Return (is_array ($ data ))? Array_map (mysqlClean, $ data): mysql_real_escape_string ($ data );
}
?>
Call method
PHP:
$ Conn = mysql_connect (localhost, user, pass );
...
$ _ POST = mysqlClean ($ _ POST );
?>
The cleaned data can be directly inserted into the database.
Note! Mysql_real_escape_string can be used only when (PHP 4> = 4.3.0, PHP 5. Otherwise, only mysql_escape_string can be used. The difference between the two is:
Mysql_real_escape_string considers the current character set to be connected, while mysql_escape_string does not.
Because mysql_real_escape_string requires MySQL database connection, you must connect to the MySQL database before calling mysql_real_escape_string.
When we know that the data type is string, we can limit the length of the string while cleaning the data. This method comes from David Lane, Hugh E. Williams Web Database Application with PHP and MySQL (OReilly, May 2004)
PHP:
Function mysqlClean ($ array, $ index, $ maxlength)
{
If (isset ($ array [$ index])
{
$ Input = substr ($ array ["{$ index}"], 0, $ maxlength );
$ Input = mysql_real_escape_string ($ input );
Return ($ input );
}
Return NULL;
}
?>
Call method:
PHP:
$ Conn = mysql_connect (localhost, user, pass );
If (isset ($ _ POST [username])
{
$ _ POST [username] = mysqlClean ($ _ POST, username, 20 );
Echo $ _ POST [username];
}
?>
Clean the username in the $ _ POST array and extract the first 20 characters.
BitsCN.com