我可以免受 MySQL 注入攻击吗?

发布于 2024-09-17 05:08:22 字数 126 浏览 5 评论 0 原文

以下内容是否足以避免 SQL 注入?

mysql_real_escape_string(htmlentities (urlencode($_POST['postmessage'])));

Is the following good enough to avoid a SQL injection?

mysql_real_escape_string(htmlentities (urlencode($_POST['postmessage'])));

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

王权女流氓 2024-09-24 05:08:22

mysql_real_escape_string() 是您在这里需要的唯一方法。

在数据库中插入数据之前,不应执行 htmlentities()urlencode()。这些方法通常是在呈现您提供给用户的视图期间执行的代码。

避免 SQL 注入的更好方法是使用准备好的语句


资源:

同一主题:

mysql_real_escape_string() is the only method you need here.

You shouldn't do an htmlentities() nor urlencode() before inserting data in your database. These methods are usually code executed during the rendering of the view you offer to your users.

A better way to avoid SQL injection is the use of prepared statements.


Resources:

On the same topic:

柠檬心 2024-09-24 05:08:22

我认为您混淆了两个安全问题: SQL 注入跨站脚本攻击 (XSS)

当发送到 SQL 数据库的 SQL 查询中使用未经正确清理的用户输入时,网站很容易受到 SQL 注入的攻击。例如,这段代码引入了一个 SQL 注入漏洞:

mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . $_POST['postmessage'] . "')");

通过使用像 mysql_real_escape_string 这样的函数转义用户输入,这个问题很容易修复:

mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . mysql_real_escape_string($_POST['postmessage']) . "')");

这就是您需要做的所有事情,但棘手的部分是记住对 SQL 语句中使用的每条用户输入执行此操作。

当用户输入在发送到客户端的 HTML 中使用时,网站很容易受到跨站点脚本攻击。例如,此代码引入了 XSS 漏洞:

echo "<div class='postmessage'>" . $_POST['postmessage'] . "</div>";

通过使用 htmlspecialchars

echo "<div class='postmessage'>" . htmlspecialchars($_POST['postmessage']) . "</div>";

同样,这很容易做到,但很容易被忘记。

通常,放置在数据库中以用于稍后发回 HTML 的用户输入不会被修改。也就是说,仅使用mysql_real_escape_string。但是,您可以转义用户输入以防止 XSS,然后转义 XSS 安全字符串以防止 SQL 注入:

mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . mysql_real_escape_string(htmlspecialchars($_POST['postmessage'])) . "')");

好处是您不需要记住使用 htmlspecialchars 从数据库中转义值在将它们写入 HTML 之前。缺点是某些值可能需要使用不同的函数进行转义。例如,用户名可能会使用 htmlspecialchars 进行转义,但“postmessage”可能允许 BBcode、Markdown 或 HTML 子集。如果您转义了所有输入以防止 XSS,那么您需要使用例如 htmlspecialchars_decode

一个问题是,对转义字符串进行取消转义并不总是返回原始字符串(unescape(escape($orig)) 不一定与 $orig 相同)。即使使用 htmlspecialcharshtmlspecialchars_decode,使用不同的引号样式也会导致此问题。另一个例子是,如果使用strip_tags,则信息将被不可恢复地删除;您将无法撤消 strip_tags。因此,许多开发人员选择使用 mysql_real_escape_string 仅将值保存到数据库中,并使用 htmlspecialchars (或其他)从数据库中准备要在 HTML 中使用的字符串。

I think that you are confusing two security issues: SQL injection and cross-site scripting (XSS).

A website is vulnerable to SQL injection when improperly sanitized user input is used in an SQL query that is sent to the SQL database. This code, for example, introduces an SQL injection vulnerability:

mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . $_POST['postmessage'] . "')");

This problem is easy to fix by escaping the user input with a function like mysql_real_escape_string:

mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . mysql_real_escape_string($_POST['postmessage']) . "')");

That's all that you need to do, but the tricky part is remembering to do this for every piece of user input that is used in an SQL statement.

A website is vulnerable to cross-site scripting when user input is used in HTML that is sent to a client. This code, for example, introduces a XSS vulnerability:

echo "<div class='postmessage'>" . $_POST['postmessage'] . "</div>";

A XSS vulnerability is fixed by escaping the user input with a function like htmlspecialchars:

echo "<div class='postmessage'>" . htmlspecialchars($_POST['postmessage']) . "</div>";

Again, this is easy to do, but easily forgotten.

Usually, user input that is placed in a database to be used in sending back HTML at a later time is saved unmodified. That is, only mysql_real_escape_string is used. However, you could escape user input to prevent XSS, and then escape the XSS-safe string to prevent SQL injection:

mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . mysql_real_escape_string(htmlspecialchars($_POST['postmessage'])) . "')");

The benefit is that you don't need to remember to escape values from the database with htmlspecialchars before writing them into HTML. The drawback is that some values may need to be escaped with different functions. For example, a user name would probably be escaped with htmlspecialchars, but a "postmessage" might allow BBcode, Markdown, or a subset of HTML. If you escaped all input to prevent XSS, then you would need to unescape values from the database with, for example, htmlspecialchars_decode.

One problem is that unescaping the escaped string does not always return the original string (unescape(escape($orig)) is not necessarily the same as $orig). Even with htmlspecialchars and htmlspecialchars_decode, using a different quote style will cause this problem. Another example is that if strip_tags is used, then information is removed irrecoverably; you will not be able to undo the strip_tags. Thus, many developers choose to use mysql_real_escape_string only to save values into the database and htmlspecialchars (or whatever) to prepare a string from the database to be used in HTML.

滥情稳全场 2024-09-24 05:08:22

是的,但是不使用 mysql_real_escape_string() 是有原因的。首先,打字很痛苦。其次,你必须记住每次都使用它。第三,它使你的代码变得丑陋。第四,你必须记住引用你的字符串。第五,以这种方式在数据库中插入 blob 更加困难。

从长远来看,学习 PDO 将使您的生活变得更好。它比简单地使用 mysql_real_escape_string() 更难学习,但长期的好处超过了学习曲线的不便。

Yes, but there's a reason for not using mysql_real_escape_string(). First, it's a pain to type. Second, you have to remember to use it every time. Third, it makes your code ugly. Fourth you have to remember to quote your strings. Fifth, it's more difficult to insert blobs in a db this way.

Learning PDO will make your life better in the long run. It's more difficult to learn than simply using mysql_real_escape_string(), but the long term benefits outweigh the inconvenience of a learning curve.

左秋 2024-09-24 05:08:22

您还应该确保在插入代码的地方使用 "

例如,如果您执行

$_POST['userid'] = mysql_real_escape_string($_POST['userid']);
mysql_query('SELECT * FROM user WHERE userid = '. $_POST['userid']);

mysql_real_escape_string 没有任何帮助。这是因为 $_POST['userid'] 没有被 ' 包围。

所以你应该

$_POST['userid'] = mysql_real_escape_string($_POST['userid']);
mysql_query('SELET * FROM user WHERE userid = \''. $_POST['userid'] .'\'');

这样做。

因此,在变量上使用 mysql_real_escape_string 并不自动意味着它们在任何查询中都是安全的。

另一种方法是使用 prepared 。声明

You should also make sure to use " around the place where you insert your code.

For example, if you do

$_POST['userid'] = mysql_real_escape_string($_POST['userid']);
mysql_query('SELECT * FROM user WHERE userid = '. $_POST['userid']);

mysql_real_escape_string wouldn't help anything. It's because $_POST['userid'] is not surrounded by '.

So you should do

$_POST['userid'] = mysql_real_escape_string($_POST['userid']);
mysql_query('SELET * FROM user WHERE userid = \''. $_POST['userid'] .'\'');

instead.

So using mysql_real_escape_string on your variables does not automatically mean they are secure in any query.

Another approach would be to use prepared statements.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文