函数清理对Mysql数据库的输入 [英] function to sanitize input to Mysql database

问题描述

我试图将通用函数放在一起，以清理对Mysql数据库的输入.到目前为止，这就是我所拥有的:

I am trying to put a general purpose function together that will sanitize input to a Mysql database. So far this is what I have:

function sanitize($input){
    if(get_magic_quotes_qpc($input)){

        $input = trim($input); // get rid of white space left and right
        $input = htmlentities($input); // convert symbols to html entities
        return $input;
    } else {

        $input = htmlentities($input); // convert symbols to html entities
        $input = addslashes($input); // server doesn't add slashes, so we will add them to escape ',",\,NULL
        $input = mysql_real_escape_string($input); // escapes \x00, \n, \r, \, ', " and \x1a
        return $input;
    }
}

如果我理解get_magic_quotes_qpc()的定义.这是由php服务器设置为自动转义字符，而不需要使用addslashes().

If i understood the definition of get_magic_quotes_qpc(). This is set by the php server to automatically escape characters instead of needing to use addslashes().

我是否正确地同时使用了addslashes()和mysql_real_escape_string()，还有什么可以增加清洁度的东西吗?

Have I used addslashes() and mysql_real_escape_string() correctly together and is there anything else I could add to increase the sanitization.

谢谢

推荐答案

htmlentities()对于使数据对于SQL安全而言是不必要的.在将数据值回显到HTML输出时使用它，以避免XSS漏洞.这也是您需要注意的重要安全问题，但与SQL无关.

htmlentities() is unnecessary to make data safe for SQL. It's used when echoing data values to HTML output, to avoid XSS vulnerabilities. That's also an important security issue you need to be mindful of, but it's not related to SQL.

addslashes()在mysql_real_escape_string中是多余的.您最终将在数据库中的字符串中使用文字反斜杠.

addslashes() is redundant with mysql_real_escape_string. You'll end up with literal backslashes in your strings in the database.

请勿使用魔术引号.此功能已被弃用多年.不要将PHP代码部署到启用了魔术引号的环境中.如果已启用，请将其关闭.如果是托管环境，并且他们不会关闭魔术引号，请获取新的托管服务提供商.

Don't use magic quotes. This feature has been deprecated for many years. Don't deploy PHP code to an environment where magic quotes is enabled. If it's enabled, turn it off. If it's a hosted environment and they won't turn off magic quotes, get a new hosting provider.

请勿使用ext/mysql.它不支持查询参数，事务或OO使用.

Don't use ext/mysql. It doesn't support query parameters, transactions, or OO usage.

更新:PHP 5.5.0(2013-06-20)中已弃用ext/mysql，PHP 7.0.0(2015-12-03)中已将其删除.您真的不能使用它.

Update: ext/mysql was deprecated in PHP 5.5.0 (2013-06-20), and removed in PHP 7.0.0 (2015-12-03). You really can't use it.

使用 PDO ，并使用有关编写安全SQL的更多详细信息，请阅读我的演示文稿 SQL注入神话与谬论.

For more details about writing safe SQL, read my presentation SQL Injection Myths and Fallacies.

这篇关于函数清理对Mysql数据库的输入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！