问题
what is the best way to escape a Search String from an input field to prevent SQLInjections?
Is there an mysql_real_escape_string method like in PHP or should i manually replace/escape the different characters like: OR, AND, LIKE, WHERE, DELETE, INSERT, UPDATE, FROM, GROUP BY, ORDER BY and so on?
回答1:
closed with the answer from: @Nick Weaver:
I don't think that you have to take care about that.
回答2:
Using mysql_real_escape_string for a search query is a good option. However you need to be aware of 2 things :
1) If you apply this solution in an other situation, make sure the parameter is always quoted when it gets integrated. In short, mysql_real_escape_string does not protect you against numeric parameters. Here are 2 examples :
$bad_sql = "SELECT * FROM some_table WHERE id=" . mysql_real_escape_string($_GET['id']);
$good_sql = "SELECT * FROM some_table WHERE name='" . mysql_real_escape_string($_GET['id']) . "'";
2) The second thing to consider is that mysql_real_escape_string does not escape wildcard characters (% and _). You should not worry about that. However, a "perfect" solution escape those characters.
For more information you can take a look at http://www.sqlinjection.net.
FYI : The official mysql_real_escape_string reference http://php.net/manual/en/function.mysql-real-escape-string.php.
来源:https://stackoverflow.com/questions/9821570/how-to-escape-a-nsstring-to-prevent-sqlinjection-with-core-data