使用mysqli_real_escape_string是否足以保护我的查询字符串? [英] Is using mysqli_real_escape_string enough to secure my query string?

问题描述

可能重复:
使用sql的动态mysql查询转义与准备好的陈述一样安全吗?

Possible Duplicate:
Are dynamic mysql queries with sql escaping just as secure as prepared statements?

仅使用mysqli_real_escape_string足以保护查询吗?还是在尝试安全地查询数据库时还有更多考虑因素?

Is using only mysqli_real_escape_string enough to secure a query? Or is there more to consider when trying to securely query a database?

推荐答案

如果在任何地方正确使用，则real_escape_string是一个选项.但是请考虑以下代码:

If used everywhere correctly real_escape_string is an option. But consider the following code:

$page = $_GET['page'];
$sql = 'SELECT `name` FROM `user` WHERE `id` = ' . mysqli_real_escape_string($page);

安全与否? real_escape_ 字符串只能用于转义引号内的字符串. $page可能是1 OR id IN (2,3,4,5,6,7,8,9)→没有引号，没有真正的转义.在这种情况下，强制转换为正确的数据类型(int)可能会有所帮助.您最好使用准备好的语句，因为它们不太容易被误用.

Safe or not? real_escape_string can only be used to escape strings inside quotation marks. $page could be 1 OR id IN (2,3,4,5,6,7,8,9) → no quotation marks, no real escaping. Casting to the correct datatype (int) might help in this case. You're better off using prepared statements, they are not as easily to mis-use.

这篇关于使用mysqli_real_escape_string是否足以保护我的查询字符串?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！