mysql_real_escape_string() 不清理变量
我正在开发一个现有网站,试图防止 SQL 注入。在 $_GET['ID'] 未清理之前。
$ID=mysql_real_escape_string($_GET['ID']);
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID=$ID AND s1.MERCHANT_ID=me.MERCHANT_ID");
如果我在 url 末尾加上 ' ,使用 mysql_real_escape_string() ,我会从 mysql_error() 得到:
您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,了解在第 1 行 '\\' AND s1.MERCHANT_ID=me.MERCHANT_ID' 附近使用的正确语法
而不使用 mysql_real_escape_string() 我得到:
您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,了解在第 1 行 '\' AND s1.MERCHANT_ID=me.MERCHANT_ID' 附近使用的正确语法
我不确定这是怎么回事?任何帮助将不胜感激。
I'm working on an existing website trying to prevent SQL injections. Before $_GET['ID'] was unsanitized.
$ID=mysql_real_escape_string($_GET['ID']);
$sQuery=mysql_query("select * from tbl_mini_website as s1, tbl_actor_merchant as me where s1.MERCHANT_ID=$ID AND s1.MERCHANT_ID=me.MERCHANT_ID");
If I put a ' at the end of the url, with mysql_real_escape_string() I get this from mysql_error():
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1
with out mysql_real_escape_string() I get:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND s1.MERCHANT_ID=me.MERCHANT_ID' at line 1
I'm not sure whats up with it? Any help would be greatly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果它是一个 id,我假设是数字,为什么不将它转换为整数呢?
我能给你的最好建议是查看 PDO 并使用绑定参数。
If it is an id, numerical I assume, why don't you just cast it to an integer?
The best advice I can give you is to check out PDO and use bound parameters.
mysql_real_escape_string 转义,但不引用。
尝试:
更一般地,我倾向于将这两者包装在一个函数中,例如:
这很有用,因为您可能会发现您想要更精致的引用行为(特别是在处理 Unicode、控制字符等时)。 )
mysql_real_escape_string escapes, but doesn't quote.
Try:
More generally, I tend to wrap both of these in a function, like:
This is useful, because you may find down the line that you want more refined quoting behavior (especially when it comes to handling Unicode, control characters, etc.)
这是因为您没有引用该变量。
这是给定以下输入的查询
It's because you're not quoting the variable.
Here's your query given the following inputs
Phil Brown 是对的,但是你应该忘记老式的
mysql_real_escape_string 或 mysql_connect()因为它们已经很老了,并转移到 php 的 PDO() ,你可以在其中使用准备好的语句、绑定、获取任何对象还有更多的功能。我建议阅读 PDO 文档 http://php.net/manual/en/book.pdo .php 如果您想要下一代数据库操作和 SQL 注入的安全性。
Phil Brown is right, but you shoul forget about old fashioned
mysql_real_escape_string or mysql_connect()as they are very old and move to php`s PDO() where you cand use prepared statements, binds, fetch object any many many more functions.I suggest read PDO documentation at http://php.net/manual/en/book.pdo.php if you want next generation dabatase manipulation and security from SQL Injection .