安全替代mysql_real_escape_string吗? (PHP) [英] Safe alternative to mysql_real_escape_string? (PHP)

问题描述

我正在将变量传递给执行查询的函数

I am passing a variable to a function that executes a query

MySQL连接仅在函数内部发生，并在函数内部关闭

The MySQL connection only occurs inside the function, and closes inside the function

我希望能够在将字符串发送到函数之前安全地对其进行转义

I want to be able to safely escape strings BEFORE I send them to the function

我不能使用mysql_real_escape_string，因为它需要MySQL连接(仅在函数内部建立)

I can't use mysql_real_escape_string because it requires a MySQL connection (which is only being made inside the function)

我知道简单的答案是在函数内部转义字符串，但是我不能这样做，因为我需要发送一些转义的字符串以及一些未转义的字符串

I know the simple answer would be to escape strings inside the function, but I cannot do this because I need to send some escaped, and some non-escaped parts of a string

例如，我需要运行以下函数:

For example, I need to run the function like this:

myquery("'" . escape_me("My string") . "'");

注意，我要发送两个不加转义的撇号，其中带有转义的字符串.因此，我无法对myquery函数内部的参数做一揽子mysql_real_escape_string.

Notice I am sending two apostrophe's-- unescaped, with an escaped string inside. For this reason I can't do a blanket mysql_real_escape_string on arguments inside of myquery function.

我发现以下代码，建议我可以将其用作mysql_real_escape_string的替代方法:

I found the following code, suggesting that I could use it as an alternative to mysql_real_escape_string:

// escape characters
function escape_me($value) {
    $return = '';
    for($i = 0; $i < strlen($value); ++$i) {
        $char = $value[$i];
        $ord = ord($char);
        if($char !== "'" && $char !== "\"" && $char !== '\\' && $ord >= 32 && $ord <= 126)
            $return .= $char;
        else
            $return .= '\\x' . dechex($ord);
    }
    return $return;
}

我不知道此功能对多字节攻击是否安全，但我认为每次查询时也需要撤消该功能

I do not know if this function is safe from multibyte attacks, but I think I also need to undo the function every time I query

例如，输入: 在数据库中测试3的确定"变为测试3x27s x22OKx22

For example, inputting: Testing 3's "OK" is turned into Testing 3x27s x22OKx22 in the database

所以我的主要问题是: 您知道我是否可以使用其他功能替代mysql_real_escape_string来安全地转义字符吗?

So my main question is: Do you know if there is another function I can use as an alternative to mysql_real_escape_string that will safely escape characters?

推荐答案

• 每次调用此函数时进行连接是一个糟糕的主意.一个好的计划应用程序不会有这么奇怪的限制.

• 您可以像这样使用替代
  myquery("SELECT * FROM table WHERE id = %s","My string");

  • It's terrible idea to connect every time you're calling this function. A good planned application wouldn't have such odd limitation.

  • you can use substitutions, like this
    myquery("SELECT * FROM table WHERE id = %s","My string");

    您可以使用另一种替代方式，一种现代的替代方式:准备好的语句.将会在其他许多答案中对此进行描述.

    You can use another way of substitutions, a modern one: prepared statements. it will be described in numerous other answers.

    因为没有人发布，这是一个粗略的例子

    as noone posted it yet, here is rough example

    function fetchAll(){
     $args = func_get_args();
     $query = array_shift($args);
     $stmt = $pdo->prepare($query);
     $stmt->execute($args);
     return $stmt->fetchAll();
    }
    $a=$db->fetchAll("SELECT * FROM users WHERE status=? LIMIT ?,?",$status,$start,$num);
    

    • 只要您使用单字节编码或utf-8，就无需使用mysql_real_escape_string，因此 mysql_escape_string (不建议使用)或加斜杠就足够了
    • As long as you're using single-byte encoding or utf-8, no need to use mysql_real_escape_string, so mysql_escape_string(deprecated) or addslashes would be enough

    这篇关于安全替代mysql_real_escape_string吗? (PHP)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！