这是否足以防止使用MYSQL_QUERY注入Mysql [英] Will this be enough to prevent Mysql injection using MYSQL_QUERY

查看:164
本文介绍了这是否足以防止使用MYSQL_QUERY注入Mysql的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我知道大多数答案都会说使用PDO/Mysqli,但我试图查看是否可以通过这种方式进行操作,然后继续学习PDO/Mysqli:

I know most of the answers will say use PDO/Mysqli but I'm trying to see if I can do it this way then move on to PDO/Mysqli still learning:

此功能足以阻止mysql注入吗?

Will this function be enough to prevent mysql injection?

function anti_inject($sql)
{

    $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"), "", $sql);
    $sql = preg_replace("/[^a-zA-Z0-9]+/", " ", $sql);
    $sql = mysql_real_escape_string($sql);
    $sql = trim($sql);
    $sql = strip_tags($sql);
    $sql = addslashes($sql);
    $sql = strtolower($sql);
    return $sql;
}

正在寻找更好的替代方法$ sql = preg_replace(sql_regcase("/(from | select | insert | delete | where | drop table | show table |#| * |-| \\)/") ,",$ sql);

Looking for a better replacement for this line $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|*|--|\\)/"), "", $sql);

我确实想检查名称是否带有来自",选择",插入"游戏标签等

As I do want to check for names that have "from" "select" "insert" gaming tags etc

我已禁用mysql用户的删除表

I've disabled drop table from the mysql user

推荐答案

严格来说,就SQL注入保护而言,此功能非常有用,同时又无法使用.尽管它在某些特定情况下可以为您提供服务,但不能用作通用解决方案.即使在这种情况下,它仍然是多余的.

Strictly speaking, in terms of SQL injection protection this function is awfully useless and unusable at the same time. While it may serve you in some particular case of yours, it cannot be used as a general purpose solution. Yet even for such a case it is awfully redundant.

所以,为什么不使用已被证明对所有(发现的)情况都是防错的解决方案- PDO准备好的语句?

So, why not to use a solution already proved to be error-proof for all the (covered) cases - PDO prepared statements?

这篇关于这是否足以防止使用MYSQL_QUERY注入Mysql的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆