使用 mysql_real_escape_string 和 stripslashes 避免 SQL 注入 [英] Avoiding SQL injection using mysql_real_escape_string and stripslashes

问题描述

这是在运行数据库查询之前防止 SQL 注入的好方法吗?

Is this a good way to prevent SQL injection before running a database query?

$name = mysql_real_escape_string(stripslashes($name));
$age = mysql_real_escape_string(stripslashes($age));
$location = mysql_real_escape_string(stripslashes($location));

提前致谢！

推荐答案

这个答案很好:

• mysql_real_escape_string() 与预处理语句对比 作者:Ilia Alshanetsky

• mysql_real_escape_string() versus Prepared Statements by Ilia Alshanetsky

那你能做什么?解决方案是使用准备好的语句，它几乎所有 PHP 数据库扩展都支持MySQL (ext/mysql) 和 SQLite2 (ext/sqlite) 的例外.所以，继续安全的一面，我建议使用 PDO 接口与那些数据库或使用较新的 MySQLi 的 MySQL(ext/mysqli) 扩展.这些接口提供准备好的语句支持，它允许分离查询结构和查询参数.

So what can you do? The solution is to use prepared statements, which are supported by nearly all PHP database extensions with the notable exceptions of MySQL (ext/mysql) and SQLite2 (ext/sqlite). So, to be on the safe side, I'd recommend using the PDO interface to talks with those databases or in the case of MySQL using the newer MySQLi (ext/mysqli) extension. Those interfaces provide prepared statement support, which allows for separation between query structure and the query parameters.

所以为了安全起见，不要单独依赖 mysql_real_escape_string，使用准备好的语句要好得多.

So to be on safer side, don't rely on mysql_real_escape_string alone, using prepared statements is much better.

这篇关于使用 mysql_real_escape_string 和 stripslashes 避免 SQL 注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！