这是php代码安全吗? [英] Is this php code safe?

问题描述

我知道我应该使用预处理语句，但是我的下一个项目将使用预处理语句，我只需要完成这个简单的小应用程序即可.

I am aware I should be using prepared statement's but my next project will be using prepared statement's I just need to finish this simple little application.

所以我的问题是:

下面的代码片段安全吗?

Is this following snippet of code secure ?

我使用了htmlentities以及mysql_real_escape_string，因为我认为这是一个安全的选择.

I have used htmlentities aswell as mysql_real_escape_string because I thought it was a safe option.

//Image 
$imageInput = $_POST['Image'];
$imageClean = htmlentities($imageInput, ENT_QUOTES, 'UTF-8');



//Inserts values into relevant field and creates a new row.
mysql_query("UPDATE ***** SET image='" . mysql_real_escape_string($imageClean) . "'     WHERE id=" . mysql_real_escape_string($idClean) . "");

添加$ idClean的代码是:

to add the code for the $idClean is:

//Id to change
if(ctype_digit($_POST['testimonial']))
{
    $idInput = $_POST['testmonial'];
    $idClean = htmlentities($idInput, ENT_QUTOES, 'UTF-8');
}

感谢您的帮助.

p.s，如果您可以建议添加一些东西，那就太好了.

p.s if you could suggest something to add that would be great.

推荐答案

取决于您的$idClean的清洁程度.

Depends on how clean your $idClean is.

WHERE id=" . mysql_real_escape_string($idClean) . "

mysql_real_escape_string仅在\x00前加反斜杠， \n，\r，\，'，"和\x1a ，但不会阻止攻击者使用

mysql_real_escape_string only prepends backslashes to \x00, \n, \r, \, ', " and \x1a, but it won't stop the attacker using

$idClean = "1 OR 1=1 AND POSSIBLY OTHER SQL STATEMENTS"

您应该将其转换为int而不是mysql_real_escape_string.

Instead of mysql_real_escape_string you should just convert it to an int.

这篇关于这是php代码安全吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！