php - 我有一个不能替换所有字符的功能
问题描述
我有这个函数清理 SQL 注入的字符串
function _clean($clean) {
$clean = utf8_encode($clean);
$array_find = array( "(" , ")" , "," , "#" , "'" , "@" , ";" , ":" , "&");
$array_replace = array("\x28","\x29","\x82","\x23","\x27","@","\x3B","\x3A","&")
$cleaned = str_replace( $array_find,$array_replace, $clean);
return $cleaned;
}
它工作得很好,但我注意到我已经$cleaned = _clean("Relaxin'");
清理了退货的情况,因为"Relaxin'";
它无法删除这个单引号我不确定为什么我要转换为 utf8。有没有人有任何想法,因为我可能需要重新编写str_replace()
?
我确实先尝试过:
//uses https://www.ascii-code.com/
function _clean($clean)
{
$clean = utf8_encode($clean);
$array_find = array( "(" , ")" , "," , "#" , "'" , "@" , ";" , ":" , "&");
$array_replace = array("(",")",",","#","'","@",";",":","&");
$cleaned =
str_replace( $array_find,$array_replace, $clean);
return $cleaned;
}
当它被转换回输出到互联网时留下有趣的字符 'Erotic Lounge (Bare Pearls) 变成 'Erotic Lounge &#Bare Pearls&#' 由于某种原因括号不会出现在屏幕上。
我试过这个
$array_replace = array("&(",")",",","#","'","@",";",":","& "); 广告似乎一切正常。
我仍然没有得到 ',' 替换为愚蠢的字符 '&#'
例如在“封面,第 1 卷”中以“封面&#第 1 卷”结尾
有谁知道为什么它在网页上这样做。
function _clean($clean) {
$clean = utf8_encode($clean);
$array_find = array("è", "ê", "é", "(" , ")" , "," , "#" , "'" , "@" , ";" , ":" , "&");
$array_replace = array("è","ê","é","(",")",",","#","'","@",";",":","&");
$cleaned = str_replace( $array_find,$array_replace, $clean);
return $cleaned;
}
解决方案
你会期待什么?您正在替换单引号'
,\x27
这只是写单引号的另一种方式。
如果您想用字面意思替换单引号\x27
,即您希望生成的字符串是Relaxin\x27
,您必须转义反斜杠。即使用
$array_replace = array("\\x28","\\x29","\\x82","\\x23","\\x27","@","\\x3B","\\x3A","&")
但老实说,为了防止 SQL 注入,您应该更好地信任完善的库,而不是自己编写代码。使用参数化查询,因此框架将负责在必要时正确转义值。正确转义字符串,通常不仅仅是盲目地替换一堆字符,因为它还可能取决于它们出现的上下文......
推荐阅读
- wordpress - Woocommerce 将在当前产品中显示其他类别的所有产品
- angular - 角度数据表集成
- c# - 带有插值字符串的 ExecuteSqlCommand 导致“输入语法无效”错误
- python - 使用 spyder 进行 Python 分析:成分的时间不等于函数的总时间
- lightgbm - 使用具有平均精确召回分数的 lightgbm
- office-ui-fabric - Office UI Frabric 响应式枢轴
- android - SQLite 中未定义的函数 SUM
- perl - IO::Socket::SSL 在 IIS 8.5 中失败
- c# - 如何禁用“您确定要离开此页面”警报?
- vba - 自动筛选删除仅在从特定工作表运行宏时有效