通过字符串操作防止PHP SQL注入 [英] PHP SQL Injection Prevention With String Operations
问题描述
可能重复:
防止在PHP中进行SQL注入的最佳方法?
Possible Duplicate:
Best way to prevent SQL injection in PHP?
我一直在做一些有关SQL注入的研究,但是有一些我找不到答案的问题.不可能在字符串级别上防止SQL注入攻击吗?我的意思是,我们不能阻止它吗?
I have been doing some research about SQL Injection but I have some questions that I couldn't find answer to. Isn't it possible to prevent SQL injection attacks on string levels? What I mean is, can't we prevent it by;
-
在通过mysql查询处理非法字符之前找到非法字符了吗?
$postID = $_POST['id'];
if($postID contains characters)
remove characters;
if($postID still contains characters)
then exit;
else
mysql_real_escape_string($postID); //just in case?
continue to do whatever you are doing...
真的有必要使用PDO/mysqli吗?分析要在mysql中处理的sql字符串是否足够?请记住,我在回复时不是PHP或MySQL专家.我是一个试图了解它们的人.
Is it really necessary to use PDO/mysqli stuff? Is it sufficient to analyze your sql strings to be processed in mysql? Please keep in mind that I am not a PHP or MySQL expert while replying. I am someone who is trying to learn about them.
推荐答案
当然,只要您在每次调用该函数时都不必介意查询,就可以使用mysql_real_escape_string($postID)防止注入.
Sure, you can protect against injection with mysql_real_escape_string($postID), as long as you don't mind a query every time you call the function.
PDO和MySQLi提供的不仅仅是注入保护.它们允许准备好的语句,这些语句可以在无需多次调用db的情况下保护反垃圾邮件注入.这意味着更快的整体性能.想象一下,尝试将具有30列的用户记录插入到表中……这是很多mysql_real_escape_string()调用.
PDO and MySQLi provide a lot more than just injection protection. They allow for prepared statements that can protect agaisnt injection without multiple calls to the db. This means faster overall performance. Imagine trying to insert to a table a user record with 30 columns... that's a lot of mysql_real_escape_string() calls.
准备好的语句将所有数据与查询一起发送,并在一个请求中在服务器上对其进行转义. Mysql DB支持准备好的语句,旧的php mysql_库不支持它们.
Prepared statements send all the data at once along with the query and escape it on the server in one request. Mysql DB's support prepared statments, the old php mysql_ libraries don't support them.
是时候进行mysqli或PDO了,您将永远不会回头.
Time to move on to mysqli or preferrably PDO--you'll never look back.
这篇关于通过字符串操作防止PHP SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
