I'd like to take user input, denoted as $dangerous_string, and use it as part of a RegEx in a MySQL query.
What's the best way to go about doing this? I want to use the user's string as a literal -- if it contains any characters that mean something in MySQL RegEx, those characters should not actually affect my Regular Expression.
$dangerous_string = $_GET["string"];
//do something here
$dangerous_string = what_goes_here($dangerous_string);
$sql = "SELECT * FROM table WHERE search_column REGEX '" . $mysqli->real_escape_string("[[:<: .>
//etc....
解决方案
AFAIK, there is no native way of escaping for MySQL regex. You can do it in PHP with preg_quote (http://www.php.net/manual/en/function.preg-quote.php) which would probably do the job for you, but is obviously not designed for the purpose.
My preferred way if I were in your situation would be to construct a regex whitelist in PHP that you can then apply to your dangerous string:
$safeString = preg_replace('/[^\w]/','',$dangerousString);
This removes any non-word characters (i.e. anything except A-Za-z0-9_) from your string.
NB I believe the other answers given will not remove/escape regex special characters, which I believe is your requirement.
2246
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
