codeigniter如何清理输入? [英] how does codeigniter sanitize inputs?
问题描述
我正在建立一个Codeigniter应用程序,我正在努力防止SQL注入。我使用Active Record方法来构造我的所有查询。我知道活动记录自动清理输入,但我想知道究竟到什么程度?它只是转义所有的报价,还是它做更多?如何防止混淆的SQL注入或其他更高级的类型?
I'm building a Codeigniter application and I'm trying my hardest to prevent SQL injections. I'm using the Active Record method to construct all my queries. I know Active Record automatically sanitizes the input, but I'm wondering exactly to what extent? Does it simply escape all the quotes, or does it do more? What about preventing obfuscated SQL injections, or other more advanced kinds?
基本上,我正在寻找如何CI清理数据的深入解释。
Basically, I'm looking for an in-depth explanation of how CI sanitizes data. Anyone know?
推荐答案
完全如此(对于MySQL驱动程序):
Exactly like this (for the MySQL driver):
- 尝试
mysql_real_escape_string()(这将是99%的时间) - 回到
mysql_escape_string() - 回到
addslashes()/ li>
- 在
中手动转义%和_/ code>条件通过str_replace()
- Tries
mysql_real_escape_string()(this will be the case 99% of the time) - Falls back to
mysql_escape_string() - Falls back to
addslashes() - Manually escapes
%and_inLIKEconditions viastr_replace()
/**
* Escape String
*
* @access public
* @param string
* @param bool whether or not the string will be used in a LIKE condition
* @return string
*/
function escape_str($str, $like = FALSE)
{
if (is_array($str))
{
foreach ($str as $key => $val)
{
$str[$key] = $this->escape_str($val, $like);
}
return $str;
}
if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id))
{
$str = mysql_real_escape_string($str, $this->conn_id);
}
elseif (function_exists('mysql_escape_string'))
{
$str = mysql_escape_string($str);
}
else
{
$str = addslashes($str);
}
// escape LIKE condition wildcards
if ($like === TRUE)
{
$str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);
}
return $str;
}
注意,这只是转义字符,所以MySQL查询不会破坏或做某事意外,并且仅在数据库查询的上下文中使用,以确保基于您传递给它的正确语法。
Note that this is merely escaping characters so MySQL queries will not break or do something unexpected, and is used only in the context of a database query to ensure correct syntax based on what you pass to it.
没有魔法,使所有数据安全任何上下文(如HTML,CSV或XML输出),并且只是为了防止你在想: xss_clean() -size-fits-all解决方案也不是100%防弹,有时它实际上是不恰当的。活动记录类自动进行查询转义,但对于其他事情,您应该使用输出而不是输入,以正确的方式手动转义/ strong>。
There is no magic that makes all data safe for any context (like HTML, CSV, or XML output), and just in case you were thinking about it: xss_clean() is not a one-size-fits-all solution nor is it 100% bulletproof, sometimes it's actually quite inappropriate. The Active Record class does the query escaping automatically, but for everything else you should be escaping/sanitizing data manually in the correct way for the given context, with your output, not your input.
这篇关于codeigniter如何清理输入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
