问题
What is the best function to run my strings through to ensure that MySQL injection is impossible?
Also, will it require running it through another function on the way out to make it display correctly?
See also
Are Parameters really enough to prevent Sql injections?
C# Parameterized Query MySQL with in clause
Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes?
回答1:
Parameterized Queries
回答2:
A parameter function.
Humor aside, I mean don't dynamically execute user-entered content as SQL if you can at all avoid it. Pass everything as parameters, and reference them from your query instead. See Chad Birch's answer for a good link explaining this.
回答3:
As Chad says, always use parameterized queries to avoid SQL injection.
To answer the second half of your question, if your output is to a web page then always escape any special HTML characters (&, <, >) to protect against script injection.
回答4:
Add to parameterized queries the use of input validation within the application. Never trust that the input is clean. Check it. For instance, if it's supposed to be an integer, check to make sure it converts to a numeric value without issue.
回答5:
In PHP the best way is to use HTML escaping on strings.
It turns special characters into HTML compliant characters.
Example: " " (space) transforms into "%20".
来源:https://stackoverflow.com/questions/714704/what-is-the-best-solution-for-sql-injection-security-on-mysql