mysqli准备好的语句不会转义哪些字符? [英] What characters are NOT escaped with a mysqli prepared statement?
问题描述
我正在尝试强化我的一些PHP代码,并使用mysqli准备好的语句来更好地验证用户输入并防止注入攻击.
I'm trying to harden some of my PHP code and use mysqli prepared statements to better validate user input and prevent injection attacks.
我放弃了mysqli_real_escape_string 因为它没有转义%和_ .但是,当我将查询创建为mysqli准备的语句时,仍然存在相同的缺陷.该查询根据用户名提取用户的盐值.我会为密码和其他查询做类似的事情.
I switched away from mysqli_real_escape_string as it does not escape % and _. However, when I create my query as a mysqli prepared statement, the same flaw is still present. The query pulls a users salt value based on their username. I'd do something similar for passwords and other lookups.
代码:
$db = new sitedatalayer();
if ($stmt = $db->_conn->prepare("SELECT `salt` FROM admins WHERE `username` LIKE ? LIMIT 1")) {
$stmt->bind_param('s', $username);
$stmt->execute();
$stmt->bind_result($salt);
while ($stmt->fetch()) {
printf("%s\n", $salt);
}
$stmt->close();
}
else return false;
- 我可以正确地编写语句吗?
- 如果我是我还需要检查其他哪些字符?还有什么其他缺陷?
- 进行这些类型的选择的最佳实践是什么?
谢谢
推荐答案
%
并不是天生的有害字符.
%
is not an inherently harmful character.
问题是:为什么首先要使用LIKE
?是否在任何情况下不需要用户名完全匹配?
The question is: why are you using a LIKE
in the first place? Are there any circumstances in which you wouldn't require an exact match for username?
查询应简单:
SELECT `salt` FROM admins WHERE `username` = ? LIMIT 1
在这种情况下,如果我输入%bsmith
,则我的用户名必须为(字面意义上的)%bsmith",以便您找到匹配项.
In that case, if I were to enter %bsmith
my username would have to be (literally) "%bsmith" in order for you to find a match.
这篇关于mysqli准备好的语句不会转义哪些字符?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!