这是php代码安全吗? [英] Is this php code safe?
问题描述
我知道我应该使用预处理语句,但是我的下一个项目将使用预处理语句,我只需要完成这个简单的小应用程序即可.
I am aware I should be using prepared statement's but my next project will be using prepared statement's I just need to finish this simple little application.
所以我的问题是:
下面的代码片段安全吗?
Is this following snippet of code secure ?
我使用了htmlentities以及mysql_real_escape_string,因为我认为这是一个安全的选择.
I have used htmlentities aswell as mysql_real_escape_string because I thought it was a safe option.
//Image
$imageInput = $_POST['Image'];
$imageClean = htmlentities($imageInput, ENT_QUOTES, 'UTF-8');
//Inserts values into relevant field and creates a new row.
mysql_query("UPDATE ***** SET image='" . mysql_real_escape_string($imageClean) . "' WHERE id=" . mysql_real_escape_string($idClean) . "");
添加$ idClean的代码是:
to add the code for the $idClean is:
//Id to change
if(ctype_digit($_POST['testimonial']))
{
$idInput = $_POST['testmonial'];
$idClean = htmlentities($idInput, ENT_QUTOES, 'UTF-8');
}
感谢您的帮助.
p.s,如果您可以建议添加一些东西,那就太好了.
p.s if you could suggest something to add that would be great.
推荐答案
取决于您的$idClean
的清洁程度.
Depends on how clean your $idClean
is.
WHERE id=" . mysql_real_escape_string($idClean) . "
mysql_real_escape_string
仅在\x00
前加反斜杠, \n
,\r
,\
,'
,"
和\x1a
,但不会阻止攻击者使用
mysql_real_escape_string
only prepends backslashes to \x00
, \n
, \r
, \
, '
, "
and \x1a
, but it won't stop the attacker using
$idClean = "1 OR 1=1 AND POSSIBLY OTHER SQL STATEMENTS"
您应该将其转换为int而不是mysql_real_escape_string
.
Instead of mysql_real_escape_string
you should just convert it to an int.
这篇关于这是php代码安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!