PHP:mysql_real_escape_string 是否足以清理用户输入? [英] PHP: Is mysql_real_escape_string sufficient for cleaning user input?

问题描述

mysql_real_escape_string 是否足以在大多数情况下清理用户输入?

Is mysql_real_escape_string sufficient for cleaning user input in most situations?

:::

我主要考虑防止 SQL 注入，但我最终想知道在我应用 mysql_real_escape_string 之后我是否可以信任用户数据，或者我是否应该在将数据传递给应用程序和数据库之前采取额外措施来清理数据.

I'm thinking mostly in terms of preventing SQL injection but I ultimately want to know if I can trust user data after I apply mysql_real_escape_string or if I should take extra measures to clean the data before I pass it around the application and databases.

我知道清理 HTML 字符的重要性，但我认为没有必要信任用户输入.

I see where cleaning for HTML chars is important but I wouldn't consider it necessary for trusting user input.

T

推荐答案

mysql_real_escape_string 在所有情况下都不够，但它绝对是非常好的朋友.更好的解决方案是使用Prepared Statements

mysql_real_escape_string is not sufficient in all situations but it is definitely very good friend. The better solution is using Prepared Statements

//example from http://php.net/manual/en/pdo.prepared-statements.php

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (?, ?)");
$stmt->bindParam(1, $name);
$stmt->bindParam(2, $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

另外，不要忘记 HTMLPurifier 可用于丢弃任何无效/可疑字符.

Also, not to forget HTMLPurifier that can be used to discard any invalid/suspicious characters.

.........

根据下面的评论，我需要发布此链接(我应该在抱歉造成混淆之前完成)

Based on the comments below, I need to post this link (I should have done before sorry for creating confusion)

mysql_real_escape_string() 与准备好的语句

引用:

mysql_real_escape_string() 容易出现同样的问题影响添加斜线().

mysql_real_escape_string() prone to the same kind of issues affecting addslashes().

Chris Shiflett(安全专家)

这篇关于PHP:mysql_real_escape_string 是否足以清理用户输入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！