是“mysqli_real_escape_string"吗?足以避免 SQL 注入或其他 SQL 攻击吗? [英] Is "mysqli_real_escape_string" enough to avoid SQL injection or other SQL attacks?

问题描述

这是我的代码:

  $email= mysqli_real_escape_string($db_con,$_POST['email']);
  $psw= mysqli_real_escape_string($db_con,$_POST['psw']);

  $query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$email."','".$psw."')";

谁能告诉我它是否安全，或者它是否容易受到 SQL 注入攻击或其他 SQL 攻击?

Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ?

推荐答案

谁能告诉我它是否安全，或者它是否容易受到 SQL 注入攻击或其他 SQL 攻击?

Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ?

否 正如 uri2x 所说，请参阅 绕过 mysql_real_escape_string() 的 SQL 注入代码>.

No. As uri2x says, see SQL injection that gets around mysql_real_escape_string().

防止 SQL 注入的最佳方法是使用准备好的语句. 它们将数据(您的参数)与指令(SQL 查询字符串)分开，并且不会为数据留下任何污染查询结构的空间.准备好的语句解决了应用程序安全的基本问题之一.

The best way to prevent SQL injection is to use prepared statements. They separate the data (your parameters) from the instructions (the SQL query string) and doesn't leave any room for the data to contaminate the structure of your query. Prepared statements solve one of the fundamental problems of application security.

对于不能使用准备好的语句(例如 LIMIT)的情况，为每个特定目的使用非常严格的白名单是保证安全的唯一方法.

For situation where you cannot use prepared statements (e.g. LIMIT), using a very strict whitelist for each specific purpose is the only way to guarantee security.

// This is a string literal whitelist
switch ($sortby) {
    case 'column_b':
    case 'col_c':
        // If it literally matches here, it's safe to use
        break;
    default:
        $sortby = 'rowid';
}

// Only numeric characters will pass through this part of the code thanks to type casting
$start = (int) $start;
$howmany = (int) $howmany;
if ($start < 0) {
    $start = 0;
}
if ($howmany < 1) {
    $howmany = 1;
}

// The actual query execution
$stmt = $db->prepare(
    "SELECT * FROM table WHERE col = ? ORDER BY {$sortby} ASC LIMIT {$start}, {$howmany}"
);
$stmt->execute(['value']);
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);

我认为上面的代码不受 SQL 注入的影响，即使在模糊的边缘情况下也是如此.如果您使用 MySQL，请确保关闭模拟准备.

I posit that the above code is immune to SQL injection, even in obscure edge cases. If you're using MySQL, make sure you turn emulated prepares off.

$db->setAttribute(\PDO::ATTR_EMULATE_PREPARES, false);

这篇关于是“mysqli_real_escape_string"吗?足以避免 SQL 注入或其他 SQL 攻击吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！