我知道以前对此进行了讨论,但是自从2010年末发布此帖子以来,以及围绕该问题提出的其他讨论-Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database?-我已经尝试了描述的某些情况,例如在电子邮件中使用单引号和`字符,我正在使用FILTER_VALIDATE_EMAIL,它已阻止它们输入数据库.

PHP的最新版本已解决了较早的问题,并且安全吗？

我很想也使用mysql_real_escape_string(),想必这两个函数可以并行使用而没有任何冲突？

这是我用来将地址放入数据库的邮件列表代码

    <?php
// connects the database access information this file
include("mailing_list_include.php");

// the following code relates to mailing list signups only
if (($_POST) && ($_POST["action"] == "unsub")) {
// trying to ubsubscribe; validate email addresses
if ($_POST["email"] == "") {
    header("Location: mailing_list_remove.php");
    exit;

} else {
    // connect to database
    doDB();

    // filtering out anything that isn't an email address
    if ( filter_var(($_POST["email"]), FILTER_VALIDATE_EMAIL)  == TRUE) {
        echo '';
    } else {
        echo 'Invalid Email Address';
        exit;
    }

    // check that email is in the database
    emailChecker($_POST["email"]);

    // get number of results and do action
    if (mysqli_num_rows($check_res) < 1) {
        // free result
        mysqli_free_result($check_res);

        // print failure message
        $display_block = "We couldn't find ".$_POST["email"].". No action has therefore been taken.";

    } else {
        // get value of ID from result
        while ($row = mysqli_fetch_array($check_res)) {
            $id = $row["id"];
        }

        // unsubscribe the address
        $del_sql =  "DELETE FROM subscribers
                    WHERE id = '".$id."'";
        $del_res =  mysqli_query($mysqli, $del_sql)
                    or die(mysql_error($mysqli));
        $display_block = " Your email address, ".$_POST["email"].", is unsubscribed!";
    }
    mysqli_close($mysqli);
}
}
?>
<html>
<?php echo "$display_block";?>
</html>

解决方法:

filter_var标志FILTER_VALIDATE_EMAIL将按照其说的内容进行操作=将值验证为电子邮件,这意味着如果它不是电子邮件,则将返回false.

您可能正在寻找FILTER_SANITIZE_EMAIL,它将(删除所有字符,字母,数字和！#$％&’*-/ =？^ _`{|}〜@.[]除外).

要么
FILTER_SANITIZE_STRING将剥离标签,可选择剥离或编码特殊字符.

我不推荐w3schools,它具有filter_var标志列表http://www.w3schools.com/php/php_ref_filter.asp

就像其他人所说的那样,使用PDO的预准备查询是安全的,您可以在这里找到一个很棒的pdo示例：http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html#10将解释一些事情,并且这里还有一个简单的pdo CRUD(创建检索更新删除)类：http://www.phpro.org/classes/PDO-CRUD.html

祝好运…