清理整数数据库输入 [英] Sanitizing Integer Database Input
问题描述
我有一个通过POST请求获取数据的应用程序.我正在使用此数据在数据库中插入新行.我知道使用mysql_real_escape_string()(加上删除%和_)是字符串的方法,但是整数值呢?现在,我在它们上使用了PHP函数intval().
I have an application that takes data via a POST request. I am using this data to insert a new row into the database. I know that using mysql_real_escape_string() (plus removing % and _) is the way to go for strings, but what about integer values? Right now, I am using the PHP function intval() on them.
但是,我想确保intval()是绝对安全的.当变量先通过intval()运行时(因为它总是返回整数),我看不到攻击者执行SQL注入攻击的方法,但是我想确保有更多经验的人会遇到这种情况比我.
However, I wanted to make sure that intval() is perfectly safe. I can't see a way of an attacker preforming a SQL injection attack when the variables are run through intval() first (since it always returns an integer), but I wanted to make sure this is the case from people that have more experience than I.
谢谢.
推荐答案
是的,intval()是安全的.将参数转换为整数时,绝对没有办法执行SQL注入,因为(显然)整数格式不允许在其中放入SQL关键字(或引号或其他内容).
Yes, intval() is safe. There is absolutely no way to perform an SQL injection when the parameter is converted to integer, because (obviously) the format of an integer does not allow putting SQL keywords (or quotes, or whatever) in it.
这篇关于清理整数数据库输入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
