mysql_real_escape_string是否足以进行反SQL注入? [英] Is mysql_real_escape_string enough to Anti SQL Injection?

问题描述

在PHP手册中，有一条注释:

In PHP Manual, there is a note:

注意:如果此功能不用于 转义数据，查询易受攻击 SQL注入攻击.

Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.

这足以进行反SQL注入吗?如果没有，您可以举一个示例和一个好的反SQL注入解决方案吗?

Is this enough to anti sql injection? If not, could you give an example and a good solution to anti sql injection?

推荐答案

mysql_real_escape_string通常足以避免SQL注入.不过，这确实取决于它是否没有错误，即，它 容易受到攻击的可能性不大(但这尚未在现实​​世界中体现出来).在概念上完全排除SQL注入的更好的替代方法是准备好的语句.这两种方法完全取决于您正确地应用它们.也就是说，如果您只是将其弄乱，那么它们都不会保护您.

mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). A better alternative which completely rules out SQL injections on a conceptual level is prepared statements. Both methods entirely depend on your applying them correctly; i.e. neither will protect you if you simply mess it up anyway.

这篇关于mysql_real_escape_string是否足以进行反SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！