我应该在哪里放置 mysql_real_escape_string? [英] Where should I place mysql_real_escape_string?

问题描述

mysql_real_escape_string 的最佳使用方式是什么，开头是这样的:

What's the best way to use mysql_real_escape_string, is it at the beginning like this:

$email = mysql_real_escape_string($_POST['email']); 
$qemail = mysql_query ("SELECT email FROM ppl WHERE email='$email'"); 

或者像这样结束:

$email = $_POST['email'];
$qemail = mysql_query ("SELECT email FROM ppl WHERE email='". mysql_real_escape_string($email) ."'");

整个网站都在使用mysql，所以我必须把它保存在mysql中.问题是，我不想在任何地方使用 mysql_real_escape_string (代码看起来令人困惑和可怕).我只想在 $_POST 的开头使用它，但这足够了吗?

The whole website is using mysql so I have to keep it in mysql. The problem is, I don't want to use mysql_real_escape_string everywhere (the code looks confusing and horrible). I would like to use it only at the beginning for $_POST, but is that enough?

有些人建议最好在查询中使用它，但我不明白为什么.

Some people suggest that it's best to use it in queries, but I fail to see why.

推荐答案

你应该把mysql_real_escape_string() 直接放入垃圾桶并迁移到mysqli 或 PDO 和 学习使用准备好的语句.

You should place mysql_real_escape_string() directly into the rubbish bin and migrate to mysqli or PDO and learn to use prepared statements instead.

我之前在应用程序安全性简介，但使 SQL 注入成为可能的根本问题是数据和代码的混淆.

I've mentioned this before in A Gentle Introduction to Application Security, but the fundamental problem that makes SQL injection possible is the confusion of data and code.

准备好的语句将您的查询字符串 (SELECT * FROM foo WHERE column = ?) 和您的参数 (['foo']) 在单独的数据包中发送到数据库服务器.参数永远有机会接触查询字符串，从而阻止了使SQL注入成为可能的条件.

Prepared statements send your query string (SELECT * FROM foo WHERE column = ?) and your parameters (['foo']) in separate packets to the database server. The parameters never get a chance to touch the query string, thus preventing the condition that makes SQL Injection possible in the first place.

转义输入和构建查询字符串没有相同的保证.当然，可以安全地做到这一点，但是如果你犯了一个错误并且一个不熟练 黑客 找到了，你的整个数据库都被吐司了.(请记住，SQL 注入是唾手可得的成果.)

Escaping inputs and building the query string does not have the same guarantee. It's possible to do it safely, of course, but if you make one mistake and an unskilled hacker finds it, your entire database is toast. (Keep in mind, SQL Injection is low-hanging fruit.)

这篇关于我应该在哪里放置 mysql_real_escape_string?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！