此 SQL 清理代码的说明
我从登录表单教程中得到了这个:
function sanitize($securitystring) {
$securitystring = @trim($str);
if(get_magic_quotes_gpc()) {
$securitystring = stripslashes($str);
}
return mysql_real_escape_string($securitystring);
}
有人能准确解释一下它的作用吗?我知道“clean”变量随后会被调用来清理字段;即 $email = sanitize($_POST['email']);
I got this from for a login form tutorial:
function sanitize($securitystring) {
$securitystring = @trim($str);
if(get_magic_quotes_gpc()) {
$securitystring = stripslashes($str);
}
return mysql_real_escape_string($securitystring);
}
Could some one explain exactly what this does? I know that the 'clean' var is called up afterwards to sanitize the fields; I.e. $email = sanitize($_POST['email']);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
基本上,如果您打开了魔术引号,POST/SESSION 数据中的特殊字符将自动转义(与将addslashes() 应用于字符串相同)。 MySQL转义函数比PHP的addslashes()更好(尽管我不记得确切的原因)。
您的代码所做的是检查 php.ini 文件是否打开了魔术引号,如果是,则从数据中删除斜杠,然后使用 MySQL 函数重新对其进行清理。如果魔术引号未打开,则无需去除斜杠,因此数据只需使用 MySQL 函数进行清理并返回。
Basically, if you have magic quotes switched on, special characters in POST/SESSION data will automatically be escaped (same as applying addslashes() to the string). The MySQL escape functions are better than PHP's addslashes() (although I can't remember the exact reasons why).
What your code does is check if the php.ini file has magic quotes turned on, if so the slashes are stripped from the data and then it is re-sanitised using the MySQL function. If magic quotes is not on, there is no need to strip slashes so the data is just sanitised with the MySQL function and returned.
首先,这段代码是错误的。
它有错误的含义和错误的名称。
没有 SQL 数据准备代码进行任何清理或清理。
它只是在逃避。而且这种逃避必须是无条件的。
并且逃避不应该与其他任何事情混合在一起。
因此,它必须是三个独立的功能,而不是一个。
所以,这里唯一与 mysql 相关的函数是 mysql_real_escape_string()。虽然它没有使数据变得“干净”,但只是转义分隔符。因此,此函数必须仅用于被视为字符串并用引号引起来的数据。所以,这是一个很好的例子:
虽然这个例子是错误的:
尽管 $query2 不会抛出语法错误,但这是错误的数据准备,并且 mysql_real_escape_string 在这里没有任何帮助。因此,此函数只能用于转义被视为字符串的数据。尽管可以对任何数据类型执行此操作,但有一些例外,例如 LIMIT 参数,不能将其视为字符串。
First of all, this code is wrong.
It has wrong meaning and wrong name.
No SQL data preparation code does any cleaning or sanitization.
It does merely escaping. And this escaping must be unconditional.
and escaping shouldn't be mixed with anything else.
So, it must be three separated functions, not one.
So, the only mysql related function here is mysql_real_escape_string(). Though it makes no data "clean", but merely escape delimiters. Therefore, this function must be used only with data what considered as a string and enclosed in quotes. So, this is a good example:
while this example is wrong:
Even though $query2 would not throw a syntax error, this is wrong data preparation and mysql_real_escape_string would help nothing here. So, this function can be used only to escape data that treated as a string. though it can be done to any data type, there is some exceptions, such as LIMIT parameters, which cannot be treat as a strings.
trim()删除所有空格,如果启用了魔术引号,则使用stripslashes()从任何转义引号中删除反斜杠。mysql_real_escape_string()准备好一个字符串,以便安全地在 mysql 查询中使用。以下是所使用函数的文档: http://php.net/manual/en /function.trim.php,http:// /php.net/manual/en/function.get-magic-quotes-gpc.php, http://php.net/manual/en/function.stripslashes.php,http://php.net/manual/en/function.mysql-real-escape-string.php
trim()gets rid of all whitespace, and if magic quotes is on, the backslash is removed from any escaped quotes withstripslashes().mysql_real_escape_string()readies a string to be used in a mysql query safely.here are the docs for the functions used: http://php.net/manual/en/function.trim.php, http://php.net/manual/en/function.get-magic-quotes-gpc.php, http://php.net/manual/en/function.stripslashes.php, http://php.net/manual/en/function.mysql-real-escape-string.php
mysql_real_escape_string用于对字符串中的字符进行转义,为'等字符添加反斜杠,防止攻击者在字符串中嵌入额外的SQL语句。如果字符串未转义,则可以附加其他 SQL。例如,可能会执行类似的操作:SELECT * FROM tbl WHERE col = 'test' ;从表中删除*; SELECT 'owned'
magic_quotes确实对其自身进行了转义,尽管如果我没记错的话,现在不鼓励使用它。此外,MySQL 函数将执行所有需要的转义以防止 SQL 注入攻击。mysql_real_escape_stringis used to escape characters in the string to add backslashes to characters such as', which prevents an attacker from embedding additional SQL statements into the string. If the string is not escaped, additional SQL can be appended. For example, something along the lines of this might be executed:SELECT * FROM tbl WHERE col = 'test' ; DELETE * FROM tbl ; SELECT 'owned'
magic_quotesdoes escaping of its own, although if I remember correctly its use is now discouraged. Besides, the MySQL function will do all the escaping you need to prevent SQL injection attacks.某些(旧)服务器启用了 magic_quotes。这意味着所有外部输入都会被更改以(据称)转义它,以便注入 MySQL 查询中。因此,
O'Brian变为O\'Brian。这是 PHP 团队的一个早期设计决策,但事实证明是错误的:因此最好在没有 magic_quotes 的情况下进行编码。问题来自可再发行代码:您无法知道服务器是否启用或禁用 magic_quotes。因此,您可以使用 get_magic_quotes_gpc() 来检测它们是否打开,如果是这样,请使用 stripslashes() 来(尝试)恢复原始输入。
Some (old) servers have magic_quotes enabled. That means that all external input is altered to (supposedly) escape it in order to be injected in a MySQL query. So
O'BrianbecomesO\'Brian. This was an early design decision by the PHP team that proved wrong:So it's way better to code without magic_quotes. The problem comes with redistributable code: you cannot know if the server will have magic_quotes enabled or disabled. So you can use get_magic_quotes_gpc() to detect it they're on and, if so, use stripslashes() to (try to) recover the original input.