这是否足以防止使用MYSQL_QUERY注入Mysql [英] Will this be enough to prevent Mysql injection using MYSQL_QUERY
问题描述
我知道大多数答案都会说使用PDO/Mysqli,但我试图查看是否可以通过这种方式进行操作,然后继续学习PDO/Mysqli:
I know most of the answers will say use PDO/Mysqli but I'm trying to see if I can do it this way then move on to PDO/Mysqli still learning:
此功能足以阻止mysql注入吗?
Will this function be enough to prevent mysql injection?
function anti_inject($sql)
{
$sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"), "", $sql);
$sql = preg_replace("/[^a-zA-Z0-9]+/", " ", $sql);
$sql = mysql_real_escape_string($sql);
$sql = trim($sql);
$sql = strip_tags($sql);
$sql = addslashes($sql);
$sql = strtolower($sql);
return $sql;
}
正在寻找更好的替代方法$ sql = preg_replace(sql_regcase("/(from | select | insert | delete | where | drop table | show table |#| * |-| \\)/") ,",$ sql);
Looking for a better replacement for this line $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|*|--|\\)/"), "", $sql);
我确实想检查名称是否带有来自",选择",插入"游戏标签等
As I do want to check for names that have "from" "select" "insert" gaming tags etc
我已禁用mysql用户的删除表
I've disabled drop table from the mysql user
推荐答案
严格来说,就SQL注入保护而言,此功能非常有用,同时又无法使用.尽管它在某些特定情况下可以为您提供服务,但不能用作通用解决方案.即使在这种情况下,它仍然是多余的.
Strictly speaking, in terms of SQL injection protection this function is awfully useless and unusable at the same time. While it may serve you in some particular case of yours, it cannot be used as a general purpose solution. Yet even for such a case it is awfully redundant.
所以,为什么不使用已被证明对所有(发现的)情况都是防错的解决方案- PDO准备好的语句?
So, why not to use a solution already proved to be error-proof for all the (covered) cases - PDO prepared statements?
这篇关于这是否足以防止使用MYSQL_QUERY注入Mysql的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!