问题
I got a $_GET and users are able to send the $_GET string to the MySQL, so quick question:
Is this query:
mysql_query("SELECT XX FROM ZZ WHERE YY %LIKE% " . htmlspecialchars($_get['string']) . ";");
enough to be safe? or I should add something more than htmlspecialchars() to be safe?
Thank you in advance for all replies.
回答1:
Unsafe.
Trivial example data that even shows htmlspecialchars doing "it's thing" -- it's just the wrong "thing".
1;DROP TABLE all_your_precious_data--&
Happy coding.
Solution: Use placeholders as per PDO or mysqli (or use mysql_real_escape_string if you wish to keep promoting outdated practices...)
See Best way to stop SQL injection in PHP and Prevent injection SQL with PHP and Can SQL injection be prevented with just addslashes?
回答2:
htmlspecialchars has nothing to do with MySQL. It's for escaping HTML special characters, characters that have special meaning when evaultated as HTML. You should use it before you write untrusted data to the browser, not to the database.
You need to remove htmlspecialchars entirely, and use mysql_real_escape_string, or better yet, PDO.
回答3:
It's probably unsafe, and you'd better use mysql_real_escape_string.
来源:https://stackoverflow.com/questions/7355639/does-htmlspecialchars-protect-this-mysql-query