使用mysql_query的参数 [英] Use of parameters for mysql_query
问题描述
我在学习的某个地方发现了一些有趣的东西.它的内容如下:
$query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
使用这样的查询代替
$query="select firstname, lastname, address, age FROM friends
WHERE firstname='".$_RETURN['name1']."', lastname='".$_RETURN['name2']."'";
这看起来合理吗?.您是否曾经尝试过这种编码..以及它如何帮助防止任何恶意攻击..
首先,这就是所谓的
但是最后,您应该完全停止使用 >您应该简单地像这样停止连接查询,并开始使用 mysqli
我再说一遍: 请停止使用 somewhere while studying I juz found out something interesting.. It says something as follows: using the query like this instead of does this seem reasonable.. have u tried this coding ever.. and how it helps prevent any malicious attacks.. First off, what this is about is called is SQL-Injection. It's basically just the possibility to alter queries against the database via user input. Let's look at an example: Query: Now we'll assign VAR1 the value of: With But in the end, you should stop using the You should simply stop concatenating queries together like this and start using prepared statements, which not only are easier to use, prevent SQL Injection by default but also can improve the speed of your application. For PHP there are two extensions which are designed to close the whole And I say it again: Please stop using 这篇关于使用mysql_query的参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!mysql_*
.在防止SQL注入或通过查询调整其他方式时,它们已被弃用并被认为是不安全的.mysql_*
! $query = sprintf("SELECT firstname, lastname, address, age FROM friends
WHERE firstname='%s' AND lastname='%s'",mysql_real_escape_string($firstname),
mysql_real_escape_string($lastname));
$query="select firstname, lastname, address, age FROM friends
WHERE firstname='".$_RETURN['name1']."', lastname='".$_RETURN['name2']."'";
SELECT temp1 FROM temp WHERE temp2 = 'VAR1';
'; DROP TABLE *; --
And we'll get:SELECT temp1 FROM temp WHERE temp2 = ''; DROP TABLE *; --';
mysql_real_escape_string
it would look like this:SELECT temp1 FROM temp WHERE temp2 = '\'; DROP TABLE *; --'
mysql_real_escape_string
'secures' a string for usage within a query.mysql_*
altogether. They're deprecated and considered as insecure when it comes to preventing SQL injection or other means of tempering with the queries.mysql_*
opened:mysql_*
!