addlashes() 是否足够安全以避免 SQL 注入? [英] Is addslashes() secure enough to avoid SQL INJECTIONS?
问题描述
我在页面上接收的所有参数上使用了addslashes().并且还在 mysql 查询中围绕这些变量应用单个法庭.这是我的代码:
I am using addslashes() on all the parameters receiving on page. And also applying single courts around those variables in mysql query. Here is my code:
$string = addslashes($_POST['string']);
$queryString = " INSERT INTO general (description) VALUES ('$string')";
$query = mysql_query($queryString);
和
$queryString = "SELECT description FROM general WHERE description = '".$string."'";
$query = mysql_query($queryString);
这段代码中是否有 SQL INJECTION 的可能性?
Is there any chance of SQL INJECTION in this code?
推荐答案
阅读这篇文章:addslashes() 与 mysql_real_escape_string()
read this article: addslashes() Versus mysql_real_escape_string()
摘录:
如果我想尝试对 MySQL 数据库进行 SQL 注入攻击,用反斜杠转义单引号是一件令人沮丧的事情.但是,如果您使用的是addslashes(),那么我很幸运.我需要做的就是注入 0xbf27 之类的东西,并将其修改为 0xbf5c27,这是一个有效的多字节字符,后跟单引号.换句话说,尽管你逃跑了,我还是可以成功地注入一个单引号.那是因为 0xbf5c 被解释为单个字符
If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character
注意:
请不要在新代码中使用mysql_*
函数.它们不再维护并正式弃用.看到红框?了解准备好的语句,并使用PDO 或 MySQLi- 这篇文章 将帮助您决定哪个.如果您选择 PDO,这里有一个很好的教程.
Please, don't use
mysql_*
functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
这篇关于addlashes() 是否足够安全以避免 SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!