问题
I have a url, that when valid would look like this:
site.com/page.php?id=12345
I'm trying to understand if we're vunderable to sql injection. In this particular instance, the value should only be a positive integer value, since it's an id number. We do sometimes use other variables that could be a letter, or a string of text, for example, the search results pages.
An example of the code used to extract the ID variable is here:
$variable = "0";
if (isset($HTTP_GET_VARS["id"])) {
$variable = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS["id"] : addslashes($HTTP_GET_VARS["id"]);
}
In most instances of getting a variable from the url, it is approached this way.
Is this doing anything to prevent sql injections?
Should I be using mysql_real_escape_string?
I've been reading about prepared statements, but it seems daunting and we use these variables all over the place on site with a lot of pages and queries. Going through and replacing them just isn't viable in the short or mid term.
If there was an alternative way to go about validating the data without prepared statements, any advice would be much appreciated.
Thanks in advance.
回答1:
Is this doing anything to prevent sql injections?
No.
Should I be using mysql_real_escape_string?
No.
If there was an alternative way.
No.
Every way will require rewriting of all the code - this way or another.
However, the choice is yours.
If site's value doesn't worth efforts required to rewrite it properly - well, keep it as is.
If the value is high - try to hire someone to do the job for example.
来源:https://stackoverflow.com/questions/16557785/sql-injection-prevention-get-vars