PHP中的mysqli类可以防止100％的SQL注入吗? [英] Does mysqli class in PHP protect 100% against sql injections?

问题描述

我看过很多关于mysqli的文章和问题，所有这些人都声称它可以防止sql注入.但这是万无一失的证明，还是还有一些解决方法.我对跨站点脚本或网络钓鱼攻击不感兴趣，仅对sql注入感兴趣.

I've seen lots of articles and questions about mysqli, and all of them claim that it protects against sql injections. But is it fool proof, or is there still some way to get around it. I'm not interested in cross site scripting or phishing attacks, only sql injections.

首先我应该说的是我正在使用准备好的语句.这就是我对mysqli的意思.如果我使用没有任何字符串连接的准备好的语句，那么它是万无一失的吗?

What I should have said to begin with is that I am using prepared statements. That is what I meant with mysqli. If I use prepared statements without any string concatenation, then is it foolproof?

推荐答案

但这是傻瓜证明，还是还有一些解决方法.

But is it fool proof, or is there still some way to get around it.

不，您必须知道自己在做什么.如果使用绑定参数(MySqli附带的一项功能)，则从此攻击媒介进行注入式攻击绝对是安全的.这不会阻止您-程序员-直接嵌入字符串，从而启用注入攻击.您必须按预期使用该功能.

No, you have to know what you're doing. If you use bound parameters (A feature that MySqli comes with), you are completely safe from injection type attacks from this attack vector. This doesn't prevent you - the programmer - from embedding strings directly, and thereby enabling injection attacks. You have to use the feature as intended.

首先我应该说的是我正在使用准备好的语句.这就是我对mysqli的意思.如果我使用没有任何字符串连接的准备好的语句，那么它是万无一失的吗?

What I should have said to begin with is that I am using prepared statements. That is what I meant with mysqli. If I use prepared statements without any string concatenation, then is it foolproof?

万无一失仍然是一个危险的词.但是对于通过预备语句绑定的变量，您可以免受注入攻击.这是因为绑定参数是与SQL查询分开传输的.使用传统"嵌入字符串方法，数据库服务器需要解析输入，并且其中有很多边缘情况(字符集等).当数据和查询分开发送时，不会进行任何实际的解析(至少不会解析变量数据).

Foolproof is still such a dangerous word. But you are safe from injection attacks for the variables that are bound through prepared statements. This is because bound parameters are transmitted separately from the SQL query. With the "traditional" embed-string approach, the database server needs to parse the input and there are lots of edge cases in that (Charsets etc.). When the data and the query are sent separate, there is no actual parsing going on (At least not parsing of the variable data).

这篇关于PHP中的mysqli类可以防止100％的SQL注入吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！