我知道这个话题以前已经讨论过了,但是自从2010年底这篇帖子和其他相关讨论引发问题时 - FILTER_VALIDATE_EMAIL能使字符串安全地插入数据库吗? - 我尝试了一些描述的情况,例如在使用FILTER_VALIDATE_EMAIL的电子邮件表单中使用单引号和`字符,并阻止它们进入数据库。
最近的PHP版本是否修复了早期的问题并且是安全的?
我想同时使用mysql_real_escape_string(),也许两个函数可以并行使用而不会出现冲突?
这是我用来将地址放入数据库的邮件列表代码
<?php
// connects the database access information this file
include("mailing_list_include.php");
// the following code relates to mailing list signups only
if (($_POST) && ($_POST["action"] == "unsub")) {
// trying to ubsubscribe; validate email addresses
if ($_POST["email"] == "") {
header("Location: mailing_list_remove.php");
exit;
} else {
// connect to database
doDB();
// filtering out anything that isn't an email address
if ( filter_var(($_POST["email"]), FILTER_VALIDATE_EMAIL) == TRUE) {
echo '';
} else {
echo 'Invalid Email Address';
exit;
}
// check that email is in the database
emailChecker($_POST["email"]);
// get number of results and do action
if (mysqli_num_rows($check_res) < 1) {
// free result
mysqli_free_result($check_res);
// print failure message
$display_block = "We couldn't find ".$_POST["email"].". No action has therefore been taken.";
} else {
// get value of ID from result
while ($row = mysqli_fetch_array($check_res)) {
$id = $row["id"];
}
// unsubscribe the address
$del_sql = "DELETE FROM subscribers
WHERE id = '".$id."'";
$del_res = mysqli_query($mysqli, $del_sql)
or die(mysql_error($mysqli));
$display_block = " Your email address, ".$_POST["email"].", is unsubscribed!";
}
mysqli_close($mysqli);
}
}
?>
<html>
<?php echo "$display_block";?>
</html>
mysql_real_escape_string来处理任何要存入数据库的字符串数据。 - Brian Driscoll