MySQLi快速安全性问题 [英] Quick MySQLi security question
问题描述
Possible Duplicate:
Do I have to use mysql_real_escape_string if I bind parameters?
我有一个有关MySQLi安全性的快速问题...
I have a quick MySQLi security related question...
例如,看一下下面的代码(从用户那里获取输入,对照数据库进行检查以查看用户名/密码组合是否存在):
For example, take a look at this code (gets input from the user, checks it against the database to see if the username/password combination exist):
$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);
// query db
if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?"))
{
$stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));
$stmt->execute();
$stmt->store_result();
// check if there is a match in the database for the user/password combination
if ($stmt->num_rows > 0)
{}
}
在这种情况下,我在表单数据上使用htmlentities(),并使用MySQLi准备的语句.我还需要使用mysql_real_escape_string()吗?
In this case, I am using htmlentities() on the form data, and using a MySQLi prepared statement. Do I still need to be using mysql_real_escape_string()?
推荐答案
是的,因为不存在与html相关的实体,这些实体可能会对真正的转义字符串捕获的数据库造成损害.就像UTF-8字符一样.
Yes since there are non html related entities that can cause harm to your database that real escape string catches. Like UTF-8 characters.
但是正如注释中所指出的那样,您正在使用mysqli prepare,这就足够了.
But as noted here in the comments you are using mysqli prepare and that is enough.
BTW MySQLi具有它自己的转义字符串函数.
如果您有兴趣.BTW MySQLi has it's own escape string function. if you are interested.
这篇关于MySQLi快速安全性问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
