striplashes对SQL注入的有效性? [英] Effectiveness of stripslashes against SQL Injection?
问题描述
我想知道是否有人遇到过 stripslashes 语句从密码字段中获取文本,如果有任何方式来做SQL注入,这种情况下?
I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case?
ie在PHP语言中,您可以从网站的密码字段获取文本,并通过stripslashes语句删除任何(')so('OR 1 = 1 - )变为( OR 1 = 1 )。并使SQL注入很难做到。
i.e. in the PHP language you can get text from a password field of a website and pass it through the stripslashes statement to remove any (') so (' OR 1=1 --) becomes (OR 1=1). And makes SQL injections hard to do.
推荐答案
stripslashes 删除斜杠( \ ),它们是转义字符,不是数据,而是引号(')。如果有什么,它的使用将增加存在SQL注入漏洞的可能性。
stripslashes removes slashes (\), which are escape characters, from data, not quotes ('). If anything, it's use will increase the likelihood of an SQL injection vulnerability existing.
防范SQL注入使用预准备的语句和参数化查询 。
这篇关于striplashes对SQL注入的有效性?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
