在 Adodb for PHP 中清理 SQL 查询的输入
我正在优化使用 ADODBforPHP 的平台。我使用了一个清理函数,可以避免对以前版本的 PHP (mysql_escape_string) 进行 sql 注入,显然不再支持也不推荐该函数。
对于那些没有使用过该库的人,它是这样的:
$rs = $cnn->Execute('SELECT * FROM user WHERE id_user='.q($_GET['id']));
更新某些行时的示例:
$record = array();
$record['name'] = q($_GET['name']);
$record['last_update'] = time();
$rsProfile = $cnn->Execute('SELECT * FROM user WHERE id_user='.q($_GET['id']));
$sql = $cnn->GetUpdateSQL($rsProfile,$record);
if($sql) $cnn->Execute($sql);
在这种情况下,q($string)是清理函数,我正在尝试改进它。我无权在此服务器中安装 PDO,因此这不是一个选项。
当前的 q() 使用 mysql_real_escape_string 而不带第二个参数:
function q($data) {
if(!empty($data) && is_string($data)) {
$data = str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $data);
$data = "'".$data."'";
}
return $data;
}
有人在另一个论坛上推荐 filter_var($value, FILTER_SANITIZE_STRING) ,但老实说我还没有将其用于这些问题。
关于如何提高此功能目的的安全性有什么建议吗?
更新1
function q($data) {
if(is_string($data)) {
return "'".mysql_real_escape_string($data)."'";
} elseif(is_numeric($data) || is_bool($data)) {
return $data;
} else {
return "''";
}
}
I'm optimizing a platform that uses ADODBforPHP. I used a sanitization function that avoids sql injections for previous versions of PHP (mysql_escape_string) which are obviously not longer supported nor recommended.
For those that haven't used the library, it goes something like this:
$rs = $cnn->Execute('SELECT * FROM user WHERE id_user='.q($_GET['id']));
Example when updating some row:
$record = array();
$record['name'] = q($_GET['name']);
$record['last_update'] = time();
$rsProfile = $cnn->Execute('SELECT * FROM user WHERE id_user='.q($_GET['id']));
$sql = $cnn->GetUpdateSQL($rsProfile,$record);
if($sql) $cnn->Execute($sql);
In this case, q($string) is the sanitize function, which i'm trying to improve. I don't have access to install PDO in this server, so that's not an option.
The current q() uses mysql_real_escape_string without the 2nd argument:
function q($data) {
if(!empty($data) && is_string($data)) {
$data = str_replace(array('\\', "\0", "\n", "\r", "'", '"', "\x1a"), array('\\\\', '\\0', '\\n', '\\r', "\\'", '\\"', '\\Z'), $data);
$data = "'".$data."'";
}
return $data;
}
Someone recommended filter_var($value, FILTER_SANITIZE_STRING) on another forum, but I honestly haven't used that for these matters.
Any recommendations on how to improve the security of this function's purpose?
Update 1
function q($data) {
if(is_string($data)) {
return "'".mysql_real_escape_string($data)."'";
} elseif(is_numeric($data) || is_bool($data)) {
return $data;
} else {
return "''";
}
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
很抱歉让您失望,但是您的清理功能,无论它做什么,都不会“清理”任何内容,并且您在此处发布的代码中可以进行注入。
只需以这种方式调用您的脚本
,看看这段代码是否“清理”了任何内容。
当然。
首先,您必须了解什么是转义以及如何使用它。
然后你必须开始使用占位符,我相信
I am sorry for disappointing you, but your sanitization function, whatever it does, does not "sanitize" anything and you have an injection possible in the very code you posted here.
just call your script this way
and see if this code "sanitized" anything.
Sure.
First of all you have to understand what escaping is and how to use it.
Then you have to start using placeholders, I believe
来自
mysql_escape_string文档 >:所以,如果你使用mysql,你应该可以使用
mysql_real_escape_string。From the documentation of
mysql_escape_string:So, if you are using mysql, you should be just fine with
mysql_real_escape_string.