php 中每个数据库扩展的字符串如何转义?
在任何人对这个问题的性质得出结论之前,我已经了解
我对使用 MySQL 以外的数据库感兴趣,但我无法轻松找到关于如何转义每个数据库扩展的字符串的良好资源防止SQL注入。
PHP 文档列出了以下供应商特定的数据库扩展。我把我最感兴趣的加粗了:
- CUBRID
- dBase
- DB++
- FrontBase
- filePro
- Firebird/InterBase
- Informix
- IBM DB2
- Ingres
- MaxDB
- Mongo
- mSQL
- Mssql
- MySQL
- Mysqli
- Mysqlnd
- mysqlnd_ qc
- OCI8
- Ovrimos SQL
- Paradox
- PostgreSQL
- SQLite
- SQLite3
- Sybase
- tokyo_ tyrant
对于大多数参数化语句不起作用的动态查询示例:
"Select $col1, $col2 from $table where $col1 = ?"
在 $col1
、$col2
和 $table
已转义,该语句可以在准备好的语句中使用。
Before anyone jumps to conclusions as to the nature of this question, I already know about parameterized/prepared statements and use them whenever possible. Unfortunately, it is not always possible to use them when building dynamic queries.
I'm interested in working with databases other than MySQL, but I can't easily find good sources as to how to escape strings for each database extension to prevent SQL Injection.
The PHP docs list the following vendor specific database extensions. I've boldened the ones I'm most interested in:
- CUBRID
- dBase
- DB++
- FrontBase
- filePro
- Firebird/InterBase
- Informix
- IBM DB2
- Ingres
- MaxDB
- Mongo
- mSQL
- Mssql
- MySQL
- Mysqli
- Mysqlnd
- mysqlnd_ qc
- OCI8
- Ovrimos SQL
- Paradox
- PostgreSQL
- SQLite
- SQLite3
- Sybase
- tokyo_ tyrant
Example of dynamic query that wont work for most parameterized statements:
"Select $col1, $col2 from $table where $col1 = ?"
After $col1
, $col2
, and $table
have been escaped, the statement can be used in a prepared statement.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
PostgreSQL 和其他 (PDO)
PostgreSQL 可以使用 pg_escape_string字符串转义。
对于 PostgreSQL,由于
pg_query_params()
<,您不需要任何转义/a>除此之外,您应该将 PDO 与 准备 语句。他们会处理它,你可以单独传递参数;就像 pg_query_params() 一样
PostgreSQL and others (PDO)
PostgreSQL can use pg_escape_string for string escaping.
For PostgreSQL you don't need any escaping thanks to
pg_query_params()
Besides that, you should use PDO with prepared statements. They take care of it and you can pass arguments separately; just like with
pg_query_params()
MongoDB
在 MongoDB 中,您不编写 SQL,而是使用对象(“文档”)——您不必转义事物,因为您从不使用除数据之外的字符串。
但是,您确实需要确保您实际上将字符串而不是数组传递给 MongoDB API。至少在 PHP 中传递诸如
array('$ne' => 1)
这样的数组会导致!= 1
检查,因此与 SQL 注入同样危险。 。不幸的是,PHP 允许客户端在$_POST
等内部创建数组,只需使用 PHP 数组语法(如password[$ne]
)提供一个带有名称的字段即可。 [来源]MongoDB
In MongoDB you do not write SQL but work with objects ("documents") - you don't have to escape things as you never use strings except for data.
However, you do need to ensure that you actually pass strings and not arrays to the MongoDB API. At least in PHP passing an array such as
array('$ne' => 1)
would result in an!= 1
check and thus be similarly dangerous as SQL injection. And unfortunately PHP allows the client to create arrays inside$_POST
etc. by simply providing a field with a name using the PHP array syntax such aspassword[$ne]
. [Source]MySQL
使用 mysql_real_escape_string。
MySQL
Use mysql_real_escape_string.
MySQLi
使用 mysqli_real_escape_string。
MySQLi
Use mysqli_real_escape_string.
OCI8
据我所知,
: 应该可以解决问题,忽略通配符对于 LIKE 语句。
OCI8
As far as I can tell:
Should do the trick, ignoring wildcard chars for LIKE statements.
CUBRID
根据其手册,CUBRID PHP API 与 MySQL 具有相同的语法,即 cubrid_real_escape_string。在新的 CUBRID 8.4.0 版本中,它提供了 与 MySQL 的兼容性达到 90%。
CUBRID
According to its manual, CUBRID PHP API has the same syntax as MySQL, i.e. cubrid_real_escape_string. With its new CUBRID 8.4.0 release it provides 90% compatibility with MySQL.