发表新帖
发表新帖

PHP mysql injection protection

前端 未结
关注
6 1535
野性不改
野性不改 2020-12-10 17:53

I have written this short function to protect against my_sql injection, because of its importance I just want to double check with other\'s that this will function as I inte

相关标签:
6条回答
  • 攒了一身酷
    2020-12-10 18:02

    If you use PDO (properly) you don't have to worry about MySQL injection.

    Sample:

    /* Execute a prepared statement by passing an array of insert values */
$calories = 150;
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->execute(array(':calories' => $calories, ':colour' => $colour));

    More information

    0 讨论(0)
  • 心在旅途
    2020-12-10 18:08

    If you include arbitrary $keys in your query, you should escape those too.

    0 讨论(0)
  • 庸人自扰
    2020-12-10 18:13

    you need to explicitly add the database connection identifier into 

    mysql_real_escape_string(..., $db_connection_identifier);

    mysql_real_escape_string

    string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

    0 讨论(0)
  • 别那么骄傲
    2020-12-10 18:15

    Seems like a bit of sledgehammer approach. You don't need stripslashes unless your running magic_quotes. Type-Casting can be more elegant when you know you want int, float or bool.

    Further Info:

    Type-Casting: http://php.net/manual/en/language.types.type-juggling.php

    testing for magic quotes: http://www.php.net/manual/en/function.get-magic-quotes-gpc.php (Thanks Karolis)

    0 讨论(0)
  • 感动是毒
    2020-12-10 18:16

    Tomas's suggestion is good, but you should always keep them both in mind, so this can be great:

    if (get_magic_quotes_gpc()) { // Check if magic quotes are enabled
    foreach($_REQUEST as $key => $value) {          
       $_REQUEST[$key] = stripslashes($value);
       $_REQUEST[$key] = stripslashes($_REQUEST[$key])
    } 
} else {
    foreach($_REQUEST as $key => $value) {
      $_REQUEST[$key] = mysql_real_escape_string($value);
      $_REQUEST[$key] = mysql_real_escape_string($_REQUEST[$key]);
    } 
}
    0 讨论(0)
  • 刺人心
    2020-12-10 18:18

    Well, you use stripslashes() because the magic_quotes_gpc is set? So this code will only work when magic_quotes_gpc is set! I'd recommend you switch it off and dont use the strislashes() call.

    But note there is nothing like "universal sanitization". Let's call it just quoting, because that's what its all about.

    When quoting, you always quote text for some particular output, like:

    1. string value for mysql query
    2. like expression for mysql query
    3. html code
    4. json
    5. mysql regular expression
    6. php regular expression

    For each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like magic_quotes_gpc are broken (always assure it is switched off!!!).

    So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)

    1. mysql_real_escape_string($str)
    2. mysql_real_escape_string(addcslashes($str, "%_"))
    3. htmlspecialchars($str)
    4. json_encode() - only for utf8! I use my function for iso-8859-2
    5. mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}')) - you cannot use preg_quote in this case because backslash would be escaped two times!
    6. preg_quote()
    0 讨论(0)
 看不清?
提交回复
热议问题