逃避vs存储过程 [英] escaping vs stored procedure
问题描述
如果我在所有INSERT或UPDATE查询中使用mysql_real_escape_string,那么将会为存储过程提供额外的保护吗?
用户必须被授予UPDATE和/或INSERT权限无论如何。
另外,我刚从手册中注意到这一点:mysql_real_escape_string()
调用MySQL'的库函数mysql_real_escape_string"。
因此,对于我称之为php的mysql_real_escape_string()的每个场合,
会导致套接字(或管道)上的流量)到MySQL服务器,对吗?
if I use mysql_real_escape_string on all INSERT or UPDATE queries, then would
a stored procedure provide any extra protection?
the user has to be granted UPDATE and/or INSERT privileges anyway.
Also, I''ve just noticed this from the manual: "mysql_real_escape_string()
calls MySQL''s library function mysql_real_escape_string".
So for every occasion that I call php''s mysql_real_escape_string(), that
results in traffic over the socket (or pipe) to the MySQL server, right?
推荐答案
Fred写道:
Fred wrote:
如果我在所有INSERT或UPDATE查询中使用mysql_real_escape_string,然后会为
a存储过程提供任何额外的保护吗?
if I use mysql_real_escape_string on all INSERT or UPDATE queries, then would
a stored procedure provide any extra protection?
这取决于你在做什么存储过程。如果你做额外的
检查数据,是的。否则,没有。
It depends on what you do in the stored procedure. If you do additional
checking of the data, yes. Otherwise, no.
无论如何,用户必须被授予更新和/或INSERT权限。
另外,我'我刚从手册中注意到这一点:mysql_real_escape_string()
调用MySQL的库函数mysql_real_escape_string" ;.
the user has to be granted UPDATE and/or INSERT privileges anyway.
Also, I''ve just noticed this from the manual: "mysql_real_escape_string()
calls MySQL''s library function mysql_real_escape_string".
是 - 它调用了LIBRARY FUNCTION。
Yes - it calls the LIBRARY FUNCTION.
因此,对于我称之为php的mysql_real_escape_string()的每个场合,
导致流量超过到MySQL服务器的套接字(或管道),对吗?
So for every occasion that I call php''s mysql_real_escape_string(), that
results in traffic over the socket (or pipe) to the MySQL server, right?
Nope。这是在客户端库中本地执行的。否
通过链接进行通信。
这是正确使用的功能。它将根据连接使用的当前字符集转义字符
。
-
===== =============
删除x来自我的电子邮件地址
Jerry Stuckle
JDS计算机培训公司
js ******* @ attglobal.net
==================
Nope. This is performed locally in the client library. No
communications over the link is performed.
And this is the correct function to use. It will escape characters
based on the current charset being used by the connection.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
.. oO(Dale)
..oO(Dale)
>" Fred" < Fr ** @ notspam.notwrote in message news:g9 ********** @ aioe.org ...
>"Fred" <Fr**@notspam.notwrote in message news:g9**********@aioe.org...
>另外,我刚从手册中注意到这一点:mysql_real_escape_string()
调用MySQL的库函数mysql_real_escape_string。
因此,对于我称之为php'的每一个场合mysql_real_escape_string(),
导致通过套接字(或管道)到MySQL服务器的流量,对吗?
>Also, I''ve just noticed this from the manual: "mysql_real_escape_string()
calls MySQL''s library function mysql_real_escape_string".
So for every occasion that I call php''s mysql_real_escape_string(), that
results in traffic over the socket (or pipe) to the MySQL server, right?
我一直对使用mysql_real_escape_string的概念犹豫不决。首先,它不仅会给你一个虚假的安全感(记录在案的地方,它不会阻止注射),它还会将你的*验证*例程与mysql联系起来。
i''ve always balked at the notion of using mysql_real_escape_string. first,
not only does it give you a false sence of security (documented cased where
it DOESN''T prevent injection), it also ties your *validation* routines to
mysql.
当然,但你是否经常更换你的内裤?
使用PDO和预备语句而不是你不必担心
这些事情。
Micha
Sure, but do you change your DBMS as often as your underpants?
Use PDO and prepared statements instead and you don''t have to worry
about such things at all.
Micha
答案在这里 - http://vids365.com/main?escaping+vs +存储+程序
Answer is here - http://vids365.com/main?escaping+vs+stored+procedure
这篇关于逃避vs存储过程的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
