mysql_real_escape_string失败并需要准备语句的具体示例 [英] Concrete example of where mysql_real_escape_string fails and Prepared Statements are necessary

问题描述

除其他功能外，我一直在使用mysql_real_escape_string清除输入内容，最近阅读到，Prepared Statements是真正安全的唯一方法.但是，由于两个原因，我不愿意使用它们:我不想重写代码，并且我读到使用它们会影响性能(查询在此应用程序中得到了广泛使用).

I've been sanitising my inputs using mysql_real_escape_string amongst other functions and have recently read that Prepared Statements are the only way to be truly secure. However I am reluctant to use these for two reasons: I don't want to rewrite code and I read that using them can have an impact on performance (queries are used extensively in this application).

因此，我正在寻找一个最近的具体示例，该示例中的mysql_real_escape_string在查询中失败，而解决方案是使用Prepared Statements(即，无法进一步对输入进行清理并确保其安全性) ).

So I am looking for a recent, concrete example of where mysql_real_escape_string fails in a query and the resolution is to use Prepared Statements (i.e. there is no way to further sanitise the input and guarantee it's safe).

我之所以这样问，是因为我能找到满足上述条件的唯一示例是在一段时间之前的，并且此后已在更多最新版本的php中进行了修补.

I ask this because the only example I could find which met the above criteria were from some time ago and have since been patched out in more up to date versions of php.

推荐答案

从PHP文档中获取该功能( http://php.net/mysql_real_escape_string )，它表示"mysql_real_escape_string()调用MySQL的库函数mysql_real_escape_string，该函数将反斜杠附加到以下字符:\ x00，\ n，\ r，\，'，和\ x1a. " 因此，它的有用性取决于上下文.因此，例如，如果您有以下情况:

From the PHP Documentation for the function (http://php.net/mysql_real_escape_string), it says "mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a." Thus, it's usefulness depends on the context. So, for example, if you had the following scenario:

$user_input = mysql_real_escape_string($_GET['user_input']);
$query = "SELECT * FROM `users` WHERE `id` = $user_input";
$result = mysql_query($query);

嗯，那真是愚蠢.因为如果字符串是0 or 9=9，则该字符串不包含该函数转义的任何字符.但是，当注入$ query文字时，它会生成:

Well, that would be pretty stupid. Because if the string was 0 or 9=9, then that does not contain any of the characters which the function escapes. However, when injected into the $query literal, it produces :

$query = "SELECT * FROM `users` WHERE `id` = 0 or 9=9";

这将返回users表中的所有行……这可能不是程序员的意图.

This would return all rows in the users table...... Which is probably not the intention of the programmer.

因此，概括地说，如果用户输入由mysql_real_escape_string()处理但在整数或其他数字数据类型的上下文中使用，则它将无法提供足够的保护.

So, to sumarise, if the user input is handled by mysql_real_escape_string() but made use of in the context of an integer or other numeric data type, then it would fail to provide sufficient protection.

使用准备好的语句，您可以确保每个值不仅可以转义，还可以验证为正确的数据类型.

With prepared statements, you can ensure that each value is not only escaped, but validated to be the correct data type.

在上面的示例中，最安全的处理方法是使用intval()函数而不是mysql_real_escape_string()函数.

In the example above, the safest way to have handled that would have been to use the intval() function instead of the mysql_real_escape_string() function.

希望如此.

这篇关于mysql_real_escape_string失败并需要准备语句的具体示例的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！