mysql_real_escape_string可以单独阻止各种SQL注入吗? [英] Can mysql_real_escape_string ALONE prevent all kinds of sql injection ?
问题描述
Possible Duplicate:
SQL injection that gets around mysql_real_escape_string()
我还没有看到任何估价或过时的信息. 因此,存在以下问题:是否mysql_real_escape_string()完全可以防止SQL注入吗?但这是非常过时的(它从'09开始),因此从'12的php 5.3和mysql 5.5开始,它是否可以完全保护?
I havent seen any valuabe or not outdated info on this. So, there is this question: Does mysql_real_escape_string() FULLY protect against SQL injection? Yet it is very outdated(its from '09), so as of php 5.3 and mysql 5.5 in '12, does it protect fully ?
推荐答案
mysql_real_escape_string ALONE可以防止无效.
mysql_real_escape_string ALONE can prevent nothing.
此外,此功能与注射无关.
无论何时需要转义,尽管有安全性",但仍需要它,只是因为 SQL语法要求它.而在不需要的地方,转义甚至都无法帮助您一点点.
Whenever you need escaping, you need it despite of "security", but just because it is required by SQL syntax. And where you don't need it, escaping won't help you even a bit.
此函数的用法很简单:当您必须在查询中使用带引号的字符串时,必须转义其内容.并不是因为有一些虚构的恶意用户",而是只是为了逃避这些用于分隔字符串的引号.这是非常简单的规则,但PHP人士却极度错误.
The usage of this function is simple: when you have to use a quoted string in the query, you have to escape it's contents. Not because of some imaginary "malicious users", but merely to escape these quotes that were used to delimit a string. This is extremely simple rule, yet extremely mistaken by PHP folks.
这只是语法相关的功能,而不是安全性.
This is just syntax related function, not security related.
取决于此功能在安全方面的重要性,认为它可以保护数据库免受恶意用户的攻击".将引导您进行注入.
Depending on this function in security matters, believing that it will "secure your database against malicious users" WILL lead you to injection.
您可以做出自己的结论:
否,此功能还不够.
A conclusion that you can make yourself:
No, this function is not enough.
准备好的陈述也不是灵丹妙药.它仅能掩盖您一半的情况.有关详细信息,请参见我对著名问题所做的重要添加
Prepared statements is not a silver bullet too. It covers your back for only half of possible cases. See the important addition I made to the famous question for the details
这篇关于mysql_real_escape_string可以单独阻止各种SQL注入吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
