Is addslashes() secure enough to avoid SQL INJECTIONS? [duplicate]

问题

This question already has answers here:

Examples of SQL Injections through addslashes()? (4 answers)

Closed 5 years ago.

I am using addslashes() on all the parameters receiving on page. And also applying single courts around those variables in mysql query. Here is my code:

$string             = addslashes($_POST['string']);
$queryString            = " INSERT INTO general (description) VALUES ('$string')";
$query                  = mysql_query($queryString);

AND

$queryString            = "SELECT description FROM general WHERE description = '".$string."'"; 
$query                  = mysql_query($queryString);

Is there any chance of SQL INJECTION in this code?

回答1:

read this article: addslashes() Versus mysql_real_escape_string()

Excerpt:

If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character

Notice:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

回答2:

Hey mysql_connect function is now deprecated as PHP gaint sign warning. However, if you insist on using the deprecated then you have to sanitize all variables using mysql_real_escape_string() function and also pass it to strip_tags() functions

but why don't you better use Mysqli via prepared statement or better use PDO which I believe is the best. Mysqli and PDO does automatic data sanitization which ensures that SQL Injection attack is not possible.

If you are ready to go with PDO, then I can help You with a start. I hope this help

PDO connection

<?php

$db = new PDO (

    'mysql:host=localhost;dbname=sectona_db;charset=utf8', 

    'root', // username



    'root99' // password

);

?>




<?php



require("pdo.php"); 



$username = $_POST['useruname'];
$photo = $_POST['photo'];


$statement = $db->prepare('INSERT INTO users (username,photo)
                          values
                                                   (:username,:photo)');

$statement->execute(array( 

':username' => $name,
':photo' => 'profile.png'


));
echo ' data submitted';

?>

来源：https://stackoverflow.com/questions/26966056/is-addslashes-secure-enough-to-avoid-sql-injections