问题
I have heard that sprintf() protects against SQL injection. Is it true? If so, how?
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
回答1:
sprintf wont protect! it only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I sugets you take a look at PDO , that is what I like to use for DBconections and queries
回答2:
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
回答3:
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
回答4:
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
来源:https://stackoverflow.com/questions/6646731/how-does-sprintf-protect-against-sql-injection