如何验证整数值以避免SQL注入? [英] How to validate integer values to avoid SQL injection?

问题描述

避免对诸如数字之类的已定义值类型进行SQL注入的最佳方法是验证值.因为与mysqli准备相比，这样做更容易.在PHP中，我们可以这样做.

The best way to avoid SQL injection for defined value type such as numbers, is to validate the value; since it is easier to do so comparing with mysqli preparation. In PHP, we can do this by.

1. if(!is_numeric($value)) {$value=0;}
2. $value=floatval($value);
3. $value=intval($value);
4. $value=$value * 1;

最可靠的是什么?还是更好的主意?

What is the most reliable one? or a better idea?

更新:尽管我在最初的问题中已经提到过，但大多数人还是强调了参数化查询的有用性.无疑，这是避免SQL注入的最有效方法.但是，当我们可以简单地验证整数数值时；恕我直言，无需参数化.

UPDATE: Although I have stated in the original question, most of folks emphasized the usefulness of parameterized queries. Definitely, it is the most efficient way to avoid SQL injection. But when we can simply validate an integer numeric value; IMHO, there is no need to parametrization.

推荐答案

对于整数和浮点数，如果不想执行参数化查询，则可以使用它.

For integers and floats you can use this if you don't want to do a parameterised query.

$clean_number = (int)$value;

$clean_number = (float)$value;

这些实际上将值强制转换为int和float，例如，这比intval()和floatval()快，因为它没有函数开销.

These are actually casting the value as int and float, this is faster than intval() and floatval() for example because it does not suffer the function overhead.

这篇关于如何验证整数值以避免SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！