问题
I'm trying to figure out how to prevent sqlinjection, I wrote this basic function : function
antiInjectie($inputfromform){
$temp = str_replace("'", "`",$inputfromform);
$temp = str_replace("--", "~~",$temp);
return htmlentitites($temp);
}
However someone told me to also take hex values in consideration, but how do I do this?
Update I'm stuck with MDB2 and pgsql
回答1:
Bobby-Tables has a good guide to preventing SQL injection.
In short: Don't twiddle with the input yourself, use database API methods that allow bound parameters.
回答2:
With MDB2 you can do the same as with PHP’s native PDO abstraction that was proposed in related question Best way to stop SQL Injection in PHP. You can either use a prepared statement with prepare and execute or by quoting and inserting the values manually.
回答3:
Use pg_query_params(), the most easy function to avoid SQL injection using PHP and PostgreSQL.
回答4:
First, don't write any escapting function yourself. They're very likely to be broken and the database library is very likely to contain a proper one. For mysql you can use mysql_real_escape_string.
A much better longterm solution though is not to create your full query as text, but rather use prepared queries and pass the values during execution. For mysql, check the mysqli extension.
来源:https://stackoverflow.com/questions/6725520/preventing-sql-injection-in-php-with-mdb2