在复选框、单选按钮或下拉菜单上执行 mysql_real_escape_string?
有没有什么办法可以对复选框、单选按钮或下拉菜单(例如国家、出生年份)进行 SQL 注入?
另外,假设,如果有人在文本字段中输入他们的猫的名字,那么在我将它们插入 mysql 表之前运行以下代码行是否足够?
$catsName = preg_replace('/[^a-z]/i', '', $_POST['yourCat']);
或者我还必须这样做吗?
$catsName = mysql_real_escape_string($_POST['yourCat']);
Is there any way someone can do a sql injection for checkboxes, radio buttons or drop-down menus (ex. country, year of birth)?
Also, hypothetically, if someone enters their cat's name into a text field, would it be enough to run the following line of code before I insert them into the mysql table?
$catsName = preg_replace('/[^a-z]/i', '', $_POST['yourCat']);
Or would I have to this in addition?
$catsName = mysql_real_escape_string($_POST['yourCat']);
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
单选按钮、复选框等在 HTML 代码中都有一个值选项,可以使用 firebug 轻松更改(还有许多其他类似的工具)。因此,如果您清理用户提供的所有输入,那就更好了。
至于第二个问题,
mysql_real_escape_string就足够了。不需要执行preg_replaceThe radio buttons, check boxes etc, have a value option in the HTML code, which can be easily changed with firebug(There are many other similar tools). So, its better if you sanitize all the input that the user gives.
And as for the second question,
mysql_real_escape_stringis enough. Dont need to do thepreg_replace广告 1) SQL 注入可以在任何地方尝试。表单作为名称/值对列表进行传输,无论它是复选框、下拉列表还是其他形式。因此,对于您的下拉“国家”,我可以向您发送任意值。
Ad 2) 始终使用 DBMS 驱动程序函数进行转义和参数绑定。
Ad 1) SQL-injection can be tried everywhere. A form is transmitted as a list of name/value pairs, no matter if it is a checkbox, a dropdown or whatever. So also for your dropdown "country" I can send you arbitrary values.
Ad 2) Always uses your DBMS drivers functions for escaping and parameter binding.
永远假设客户是一个邪恶的天才,并且比你聪明。
为了避免 SQL 注入,请始终使用 mysql_real_escape_string 转义客户端数据,或者更好的是,使用可以为您完成此操作的数据库包装器。
你的第一个正则表达式仍然有用,但不适用于 SQL 注入。您可能要防止的是 HTML 注入 - 如果您曾经在网页上逐字显示输入,则可以防止任何恶意行为,例如某些流氓 javascript。
Always assume the client is an evil genius, and smarter than you.
To avoid SQL injection, always escape client-side data with mysql_real_escape_string, or better yet, use a database wrapper which does it for you.
Your first regex is still useful though, but not for SQL injection. What you might be preventing there is HTML injection - if you ever displayed the input verbatim on a web page, you can prevent anything nefarious like some rogue javascript.
进行 SQL 注入的能力并不取决于输入的类型,而是取决于您如何使用接收到的值。任何 HTML 输入控件以及生成的表单提交都可以手动编辑以包含任何内容。因此,任何输入都必须经过净化和减少,以仅包含您需要的信息。
因此,如果您使用如下复选框......
您就安全了。另一方面,如果您决定直接存储从用户收到的值并进行比较...
那么“您的所有数据将属于黑客”:)
至于第二个问题,
preg可能在这种特殊情况下就足够了,但是如果您更改正则表达式或错误地修改它,它可能会变得不够。最好始终转义提供给数据库的数据,以确保此类错误不会使您的代码容易受到 SQL 注入的攻击。The ability to do SQL injection does not depend on the type of the input, it depends on how do you use the received value. Any HTML input control, and the resulting form submission, can be hand-edited to contain anything. Therefore any input must be sanitized and reduced to contain only the information you need.
So, if you use a checkbox as follows...
you're safe. On the other hand, if you decide to store the value received from the user directly and compare it...
then "all your data will belong to hackers" :)
As for the second question,
pregmay be enough in this particular case, but if you change a regex, or modify it incorrectly, it could become insufficient. It is a good practice to always escape data given to the database to make sure such errors do not make your code vulnerable to SQL injection.