addslashes(stripslashes($field)) 能保证sql注入无漏洞吗?
减去整个addslashes()与mysqli_real_escape_string()论证将剥离然后添加斜杠保证sql注入无懈可击?这是否会以任何方式改变数据,例如从数据库获取字符串后显示带有双斜杠的字符串?
Minus the whole addslashes() vs mysqli_real_escape_string() argumentation will stripping then adding slashes guarantee sql injection invulverability? Will this alter the data in anyway, for example displaying the string with double slashes after fetching it from the database?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
所以你想做的是
在这种情况下
所以不这可能什么也不做
这就是为什么你应该更喜欢 mysql_real_escape_string
so what you want to do is
in that case
so no this would probably do nothing
thats why you should prefer mysql_real_escape_string
转义字符 (
addslashes()) 可以保护您免受 SQL 注入。我不是如何清理输入的专家,原因如下:我跳过了整个“清理”的事情,直接进入准备好的声明。清理/转义意味着你必须在输出端做相反的事情,这意味着每次都会加倍努力,并且在某个地方搞砸的机会加倍 - 允许错误的输入。如果你只是扑通 < a href="http://php.net/manual/en/book.pdo.php" rel="nofollow">PDO 在您执行的每个数据库查询和数据库本身之间,您的担忧就结束了。
当然,这并不是说 PDO 可以保护您免受 CSRF 等攻击或 XSS,但实际存储的值是 SQL 注入安全的,您可以在存储之前剥离 html 或任何需要执行的操作,以防止此类攻击。
Escaping characters (
addslashes()) may protect you from SQL Injection. I'm not an expert on how to sanitize inputs, and here's why:I skipped the whole "sanitizing" thing and went straight to prepared statements. Sanitizing / escaping means you have to do the reverse on the output side, which means double the effort every time, and double the chances to mess up somewhere - allowing bad input in. If you just plop the PDO between every database query you do and the database itself, your worries are over.
That's not to say, of course, that the PDO protects you from attacks like CSRF or XSS, but the actual stored values are SQL-injection-safe, and you can strip html or whatever you need to do before you store it to protect from attacks like those.
不
使用:mysql_real_escape_string。
为什么:你没有考虑很多问题,主要是字符串编码等......
NO
use: mysql_real_escape_string.
Why: you are not considering a ton of issues, mainly encoding of strings, etc...
不,拥有适量的斜杠有助于解决某些漏洞,但您仍然需要检查用户输入。永远无法保证 SQL 注入不会受到攻击。
No, having the right amount of slashes helps with some vulnerabilities, but you still need to check user input. There is no guarantee sql injection invulnerability, ever.
在大多数情况下,addslashes() 会保护你。至于获取输出,这取决于你如何提交它,如果你这样做,
你就会得到鲍勃的鞋子。
当您将其放入数据库中时,
输出
将是鲍勃的鞋子,如您所愿,插入时的 sql 会删除斜杠。
如果你对此感到不满,你可以说添加其他预防措施,但如果你想要一个快速而简单的东西,而不是一个极其安全的网站,那应该没问题。如果你查找的话,还有内置的 php sanitize 函数
addslashes() will protect you in most cases. As for the getting the output, it depends how your submitting it, if you do
you'll get Bob\'s shoes.
When you put this in your database
The output of
will be Bob's shoes as you intended, the slashes are removed by the sql on insert.
If your anal about it you can say add other precautions, but if you want a quick and easy thing that's not a ridiculously secure website it should be fine. there's also built in php sanitize functions if you look them up