mysqli准备好的语句不会转义哪些字符? [英] What characters are NOT escaped with a mysqli prepared statement?

问题描述

我正在尝试强化我的一些PHP代码，并使用mysqli准备好的语句来更好地验证用户输入并防止注入攻击.

I'm trying to harden some of my PHP code and use mysqli prepared statements to better validate user input and prevent injection attacks.

我放弃了mysqli_real_escape_string 因为它没有转义％和_ .但是，当我将查询创建为mysqli准备的语句时，仍然存在相同的缺陷.该查询根据用户名提取用户的盐值.我会为密码和其他查询做类似的事情.

I switched away from mysqli_real_escape_string as it does not escape % and _. However, when I create my query as a mysqli prepared statement, the same flaw is still present. The query pulls a users salt value based on their username. I'd do something similar for passwords and other lookups.

代码:

$db = new sitedatalayer();

if ($stmt = $db->_conn->prepare("SELECT `salt` FROM admins WHERE `username` LIKE ? LIMIT 1")) {

  $stmt->bind_param('s', $username);
  $stmt->execute();
  $stmt->bind_result($salt);


  while ($stmt->fetch()) { 
    printf("%s\n", $salt);
  } 

  $stmt->close();    

}

else return false;

• 我可以正确地编写语句吗?
• 如果我是我还需要检查其他哪些字符?还有什么其他缺陷?
• 进行这些类型的选择的最佳实践是什么?

谢谢

推荐答案

%并不是天生的有害字符.

% is not an inherently harmful character.

问题是:为什么首先要使用LIKE?是否在任何情况下不需要用户名完全匹配?

The question is: why are you using a LIKE in the first place? Are there any circumstances in which you wouldn't require an exact match for username?

查询应简单:

SELECT `salt` FROM admins WHERE `username` = ? LIMIT 1

在这种情况下，如果我输入%bsmith，则我的用户名必须为(字面意义上的)％bsmith"，以便您找到匹配项.

In that case, if I were to enter %bsmith my username would have to be (literally) "%bsmith" in order for you to find a match.

这篇关于mysqli准备好的语句不会转义哪些字符?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！