避免 PHP 中 SQL 注入的最安全方法?
我只是想知道这行代码是否可以安全地用来避免 SQL 注入?
// username and password sent from form
$myusername=$_POST['loginUserName'];
$mypassword=$_POST['loginPassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
我需要去掉斜线吗?
I just wonder if this line of code is safe to use to avoid SQL injection?
// username and password sent from form
$myusername=$_POST['loginUserName'];
$mypassword=$_POST['loginPassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
Do I need to stripslashes?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
使用准备好的语句更安全,以便将(可能是恶意的)值与查询字符串分开,而不是依赖转义。了解 PHP 数据对象。
关于
stripslashes(),只有当您打开了 PHP 的magic_quotes_gpc功能时才需要这样做,不应该,因为它已被弃用。不过,如果您想保持稳健,请执行 if (get_magic_quotes_gpc()) $myusername = stripslashes($myusername); ,这样当且仅当添加了一层斜杠时,它才会删除一层斜杠。It's safer to use prepared statements, so that the (potentially malicious) values are separated from the query string, rather than relying on escaping. Read about PHP Data Objects.
Regarding
stripslashes(), that should only be necessary if you have PHP'smagic_quotes_gpcfeature turned on, which you shouldn't because it's deprecated. If you want to be robust, though, doif (get_magic_quotes_gpc()) $myusername = stripslashes($myusername);so that it removes a layer of slashes if and only if one was added.