htmlspecialchars是否足以防止对用单引号引起来的变量进行SQL注入? [英] Is htmlspecialchars enough to prevent an SQL injection on a variable enclosed in single quotes?
本文介绍了htmlspecialchars是否足以防止对用单引号引起来的变量进行SQL注入?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
尽管许多资料来源引用htmlspecialchars
函数和ENT_QUOTES
来表示不足不足以防止SQL注入,但没有一个提供了这一概念的证明.我自己想不到任何可能性.
Although many sources quote the htmlspecialchars
function with ENT_QUOTES
to be not enough to prevent SQL injection, none of them provide a proof of the concept. I cannot think of any possibility myself.
让我们考虑以下示例:
$username = htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
$sql = "SELECT * from user WHERE name='$username'";
mysql_query($sql,...);
查看全文