mysql_real_escape_string() 是否完全防止 SQL 注入? [英] Does mysql_real_escape_string() FULLY protect against SQL injection?

问题描述

在 http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this ，有一个部分声称您可以使用某些亚洲字符编码绕过 mysql_real_escape_string

On http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/?akst_action=share-this , there is a section that claims you can bypass mysql_real_escape_string with certain Asian character encodings

使用 BIG5 或 GBK 绕过 mysql_real_escape_string()

Bypassing mysql_real_escape_string() with BIG5 or GBK

注入字符串"
に关する追加情报:

"injection string"
に関する追加情報：

以上字符为中文Big5

the above chars are Chinese Big5

这是真的吗?如果是这样，如果您无法访问准备好的声明，您将如何保护您的网站免受此类攻击?

Is this really true? And if so, how would you protect your website against this, if you had no access to prepared statements?

推荐答案

根据 Stefan Esser 的说法，"mysql_real_escape_string() [is] 在 SET NAMES 被使用."

According to Stefan Esser, "mysql_real_escape_string() [is] not safe when SET NAMES is used."

他的解释，来自他的博客:

SET NAMES 通常用于将编码从默认编码切换到应用程序需要的编码.这是以 mysql_real_escape_string 不知道的方式完成的.这意味着如果你切换到一些允许反斜杠作为 2nd 3rd 4th … 字节的多字节编码，你就会遇到麻烦，因为 mysql_real_escape_string 不能正确转义.UTF-8 是安全的……

SET NAMES is usually used to switch the encoding from what is default to what the application needs. This is done in a way that mysql_real_escape_string doesn’t know about this. This means if you switch to some multi byte encoding that allows backslash as 2nd 3rd 4th… byte you run into trouble, because mysql_real_escape_string doesn’t escape correctly. UTF-8 is safe…

更改编码的安全方法是mysql_set_charset，但这仅适用于新的 PHP 版本

Safe way to change encoding is mysql_set_charset, but that is only available in new PHP versions

不过，他确实提到 UTF-8 是安全的.

He does mention that UTF-8 is safe, though.

这篇关于mysql_real_escape_string() 是否完全防止 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！