发送查询时我需要转义什么? [英] What do I need to escape when sending a query?
问题描述
执行SQL查询时,您必须清理字符串,否则用户可以在您的网站上执行恶意SQL.
When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.
我通常只有一个函数escape_string(blah),该函数:
I usually just have a function escape_string(blah), which:
- 用两次转义(
\\)替换转义(\). - 用转义的单引号(
\')替换单引号(').
- Replaces escapes (
\) with double escapes (\\). - Replaces single quotes (
') with an escaped single quote (\').
这样够吗?我的代码中有漏洞吗?是否有一个图书馆可以为我快速可靠地做到这一点?
Is this adequate? Is there a hole in my code? Is there a library which can do this quickly and reliably for me?
我想在Perl,Java和PHP中看到优美的解决方案.
I'd like to see graceful solutions in Perl, Java, and PHP.
推荐答案
为获得最大的安全性,性能和正确性,请使用准备好的语句. 以下是使用多种不同语言(包括PHP)的示例来完成此操作的方法:
For maximum security, performance, and correctness use prepared statements. Here's how to do this with lots of examples in different languages, including PHP:
https://stackoverflow.com/questions /1973/什么是避免sql注入攻击的最佳方法
这篇关于发送查询时我需要转义什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
