PHP:mysql_real_escape_string是否足以清理用户输入? [英] PHP: Is mysql_real_escape_string sufficient for cleaning user input?

问题描述

mysql_real_escape_string在大多数情况下是否足以清理用户输入?

Is mysql_real_escape_string sufficient for cleaning user input in most situations?

:: EDIT ::

:::

我主要是在考虑防止SQL注入，但是我最终想知道在应用mysql_real_escape_string之后我是否可以信任用户数据，或者在将数据传递给应用程序和数据库之前是否应该采取额外的措施来清理数据.

I'm thinking mostly in terms of preventing SQL injection but I ultimately want to know if I can trust user data after I apply mysql_real_escape_string or if I should take extra measures to clean the data before I pass it around the application and databases.

我知道在何处清除HTML字符很重要，但我认为不必信任用户输入.

I see where cleaning for HTML chars is important but I wouldn't consider it necessary for trusting user input.

T

推荐答案

mysql_real_escape_string在所有情况下都不足够，但绝对是一个很好的朋友. 更好解决方案使用的是 Prepared Statements

mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements

//example from http://php.net/manual/en/pdo.prepared-statements.php

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

此外，别忘了 HTMLPurifier ，可用于丢弃任何无效/可疑的内容字符.

Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.

...........

...........

修改: 根据下面的评论，我需要发布此链接(在造成混乱之前，我应该这样做)

Based on the comments below, I need to post this link (I should have done before sorry for creating confusion)

mysql_real_escape_string()与预准备语句

mysql_real_escape_string() versus Prepared Statements

报价:

mysql_real_escape_string()容易 同类问题 addlashes().

mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

Chris Shiflett (安全专家)

这篇关于PHP:mysql_real_escape_string是否足以清理用户输入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！