在哪里使用mysql_real_escape_string防止SQL注入? [英] Where to use mysql_real_escape_string to prevent SQL Injection?
问题描述
我遇到了一群黑客.他们几次入侵了我客户的网站,我的客户更加生气:(我的客户丢失了他的数据库(有数百条记录),不得不输入所有:(
I'm in trouble with a group of hackers. they hacked my client's site few times, and my client gets more angry :( my client lost his database (which has hundreds records), and had to enter all :(
现在我将关注更多介绍;
now I'm following some more introductions;
- 固定文件权限
- 更改了ftp和主机登录信息
- 清除了所有远程mysql访问权限
现在正在处理SQL注入问题.我在管理面板登录参数中添加了mysql_real_escape_string.所以我还应该在其他地方使用这个mysql_real_escape_string吗?我的网站上只有几封电子邮件表格,我认为我不需要在其中添加...
now working on SQL Injection issue. I added mysql_real_escape_string to admin panel login paramaters. So where else should I use this mysql_real_escape_string ? I have few email forms at site, I dont think i need to add there...
我有一个index.php作为主页.我是否应该对此页面执行任何操作,以防止通过index.php?somesql=
这样的url进行任何sql注入攻击?
I have an index.php as a mainpage. Should I do anything for this page to prevent any sql injection attack via url like index.php?somesql=
?
请告诉我!我非常感谢!!! :(
Please advise me! I appreciate so much!!! :(
例如:
我有这样的代码;
public function showDetails($id) {
// SQL Jobs Details
$this->sql_job = "SELECT * FROM jobs WHERE id=".mysql_real_escape_string($id);
$this->rst_job = mysql_query($this->sql_job);
$this->row_all = mysql_fetch_assoc($this->rst_job);
// SQL State
$this->sql_state = "SELECT title FROM state WHERE id=" . $this->row_all[$this->tbl_jobs['f4']];
$this->rst_state = mysql_query($this->sql_state);
$this->row_state = mysql_fetch_assoc($this->rst_state);
........
是否足以将mysql_real_escape_string用于$ id.不适用于$ this-> row_all [$ this-> tbl_jobs ['f4']]
is it enough to use mysql_real_escape_string for $id . not for $this->row_all[$this->tbl_jobs['f4']]
推荐答案
基本上,每次您使用一些不安全的数据(用户输入,来自数据库,文件或外部网站的值,即您不是的任何数据 100%确保它是安全的)在SQL查询中,则应使用,此功能不安全表名(但这要比基本"用户输入插入少得多).
Basically, each time you use some unsafe data (user input, value from a database, a file or an external website, i.e. any data that you are not 100% sure that it is safe) in a SQL query, you should escape it using mysql_real_escape_string. Note that according to OWASP, this function is not secure for escaping dynamic table names (but this is far less common than "basic" user input insertion).
我建议您查看有关SQL注入的整个 OWASP文章 ,还可以浏览网站的其余部分.它是有关Web应用程序安全性的重要信息来源.
I suggest you to have a look at the whole OWASP article on SQL injection, and also to browse the rest of the website. It's a great source of information about security in web applications.
IMO, the preferred way of preventing SQL injection is to use prepared statements.
请记住,如果您选择使用mysql_real_escape_string()
,则仅当
在用引号分隔的字符串内使用.永远不要用它
任何未引用的值.这包括数值;而是验证用户输入实际上是数字.
Please remember that if you do choose to use mysql_real_escape_string()
it only works when
used inside a string that is delimited by quotes. Never use it on
any unquoted values. This includes numeric values; instead, validate that the user-input is actually numeric.
这篇关于在哪里使用mysql_real_escape_string防止SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!