PHP 保护自己免受 SQL 注入? [英] PHP protecting itself from SQL injections?

问题描述

当我将 ");-- 从输入字段发送到我的本地 PHP 服务器时，它会自动将其转换为

When I send ");-- from an input field to my localhost PHP server, it AUTOMATICALLY converts it to

\");--

看起来不错，只是我不知道这种行为有多值得信赖.虽然好像可以避免SQL注入，但我的开发环境和生产环境不太一样，恐怕生产环境可能没有自动激活这种保护...

It seems great, except that I don't know how trustworthy this behavior is. Although it seems to avoid SQL injections, my development environment is not the same as the production environment and I'm afraid that the production environment may not have this sort of protection automatically activated...

PHP 为什么要这样做(转换输入而不必使用 mysql_real_escape_string)?它总是这样做还是只使用某些扩展?依靠这种行为来防止 SQL 注入是否安全?

Why does PHP does this(convert the input without having to use mysql_real_escape_string)? Does it always do it or only with certain extensions? Is it safe to rely on this behavior to prevent SQL injections?

推荐答案

看来你有 魔术行情 已启用.但是您最好禁用此选项或还原它们.mysql_real_escape_string 更安全.

It seems that you have Magic Quotes enabled. But you better disable this option or revert them. mysql_real_escape_string is more secure.

这篇关于PHP 保护自己免受 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！