防止sql注入的最佳实践是什么 [英] what are the best practices to prevent sql injections

问题描述

我做了一些研究，但仍然很困惑，这是我研究的结果.有人可以评论并建议我如何使这些更好，或者是否已经有我可以使用的坚如磐石的实现?

I have done some research and still confused, This is my outcome of that research. Can someone please comment and advise to how I can make these better or if there is a rock solid implementation already out there I can use?

方法一:

array_map('trim', $_GET);
array_map('stripslashes', $_GET);
array_map('mysql_real_escape_string', $_GET);

方法二:

function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}

foreach($_GET as $key => $value) {
    $data[$key] = filter($value);
}

推荐答案

你展示的两种方法都不推荐

Both methods you show are not recommendable

一揽子清理"数据会适得其反，因为数据需要以不同的方式清理，具体取决于数据的使用方式:在数据库查询中使用它需要与以 HTML 输出或使用不同的清理它作为命令行调用中的参数等.

Blanket "sanitizing" data is counter-productive, because data needs to be sanitised in different ways depending on how it is going to be used: Using it in a database query needs different sanitation from outputting it in HTML, or from using it as parameters in a command line call, etc. etc.

最好的清理方法是在使用数据之前立即进行.这样，程序员就很容易看到是否所有数据都真正得到了净化.

The best way to do sanitation is immediately before the data is being used. That way, it is easy for the programmer to see whether all data is actually getting sanitized.

如果您使用 mysql_* 系列函数，请对您在查询中使用的每个参数执行 mysql_real_escape_string():

If you use the mysql_* family of functions, do a mysql_real_escape_string() on every argument you use in a query:

$safe_name = mysql_real_escape_string($_POST["name"]);
$safe_address = mysql_real_escape_string($_POST["address"]);

$result = mysql_query ("INSERT INTO table VALUES '$safe_name', '$safe_address'");

如果您使用 PDO 或 mysqli 系列函数，您可以使用参数化查询，消除大部分 SQL 注入问题 - 所有无论如何，每天的.

If you use the PDO or mysqli families of functions, you can make use of parametrized queries, which eliminate most of the SQL injection woes - all everyday ones at any rate.

用mysql_*写安全查询是完全有可能的，在PDO查询中引入安全漏洞也是完全有可能的，但是如果你是从头开始，考虑使用PDO或者mysqli 马上.

It is perfectly possible to write safe queries with mysql_*, and it is also perfectly possible to introduce a security hole in a PDO query, but if you are starting from scratch, consider using PDO or mysqli straight away.

仅当您计划以 HTML 格式输出用户输入的数据时才使用 strip_tags()；请注意，您需要执行额外的 htmlspecialchars() 以可靠地防止 XSS 攻击.

Use strip_tags() only if you are planning to output user entered data in HTML; note that you need to do an additional htmlspecialchars() to reliably prevent XSS attacks.

唯一有优点的一揽子卫生方法是

The only blanket sanitation method that has some merit is the

 if (get_magic_quotes_gpc())
    $data = stripslashes($data); 

过滤掉早期版本 PHP 中现已弃用的魔术引号"功能添加的转义层的调用.

call which filters out the layer of escaping added by the now-deprecated "magic quotes" feature of earlier versions of PHP.

这篇关于防止sql注入的最佳实践是什么的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！