urlencode()足以阻止2011年的所有SQL注入攻击 [英] Is urlencode() good enough to stop all SQL injection attacks in the year 2011

问题描述

我正在将一些简单的用户数据传递到mysql数据库中.

PHP的urlencode()返回一个字符串，其中所有非字母数字字符(-_除外).已被百分号(％)替换，后跟两个十六进制数字.

我不担心空格变成加号或其他格式问题. 我也不担心XSS和其他HTML骇客.​​

我相信我应该免受'和)风格的攻击.<​​/p>

问题:还有其他类型的sql攻击可与-或_或一起使用. ?

示例:

mysql_query("UPDATE cars SET color = '".urlencode($c)."' WHERE garage = 29");

先谢谢您

解决方案

urlencode()与SQL无关，因此它在防止SQL注入方面的作用与煤油对汉堡的影响一样大.更美味.此外，进入数据库的所有内容都将以URL编码结束，如果要在检索数据库后对它们进行任何有用的处理，则必须对其进行解码.

另一方面，转义查询可以帮助您的应用程序防范SQL注入，仅此而已.它不会修改您输入的数据；它仅保护您的查询不受篡改.这就是SQL注入的想法，这也是为什么对数据进行URL编码并不能起到任何保护作用的原因.当然，它可以确实将撇号'转换为%27，使它们无害，但是如上一段所述，您必须对URL进行解码，然后再将其转换为撇号才能使用它们

使用正确的工具实现正确的目的.尤其是在2011年，您应该使用准备好的语句，而不是手动转义查询变量和连接字符串以构成查询.

I'm passing some simple user data into a mysql database.

PHP's urlencode() Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits.

I'm not worried about the spaces turning into plus's, or other formatting issues. Neither am I worried about XSS and other HTML hacks.

I believe I should be safe from ' and ) style attacks.

QUESTION: Are there other kinds of sql attacks that could be used with - or _ or . ?

EXAMPLE:

mysql_query("UPDATE cars SET color = '".urlencode($c)."' WHERE garage = 29");

Thankyou in advance

解决方案

urlencode() has nothing to do with SQL, so it does as much to prevent SQL injection as kerosene does to make your burgers more delicious. Besides, everything that enters your database will end up URL encoded, which you then have to decode if you want to do anything useful with them after retrieving the database.

Escaping your queries, on the other hand, helps your application to guard against SQL injection, and nothing more. It does not modify the data you enter into your queries; it only protects your queries from being tampered with. That's the idea of SQL injection, and it's also why URL encoding your data doesn't do anything to protect against it. Granted, it does turn your apostrophes ' into %27, rendering them harmless, but as mentioned in the above paragraph, you'll have to URL decode them back into apostrophes in order to use them.

Use the right tool for the right purpose. Especially in the year 2011, you should be using prepared statements instead of manually escaping your query variables and concatenating strings to form queries.

这篇关于urlencode()足以阻止2011年的所有SQL注入攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！