这是否可以阻止 sql 注入
我一直在使用下面的代码块来阻止 sql 注入。这是我第一次启动 php 时(不久前)有人向我展示的东西,
我将它放在每个页面中,就像打开时显示的那样。我想知道是否有效?我不知道如何测试 sql 注入
<?php
//Start the session
session_start();
//=======================open connection
include ('lib/dbconfig.php');
//===============This stops SQL Injection in POST vars
foreach ($_POST as $key => $value) {
$_POST[$key] = mysql_real_escape_string($value);
}
foreach ($_GET as $key => $value) {
$_GET[$key] = mysql_real_escape_string($value);
}
我典型的插入和更新查询如下所示
$insert = ("'$email','$pw','$company', '$co_description', '$categroy', '$url', '$street', '$suite', '$city', '$state', '$zip', '$phone', '$date', '$actkey'");
mysql_query("INSERT INTO provider (email, pw, company, co_description, category, url, street, suite, city, state, zip, phone, regdate, actkey) VALUES ($insert)") or die ('error ' . mysql_error());
mysql_query("UPDATE coupon SET head='$_POST[head]', fineprint='$_POST[fineprint]', exdate='$exdate', creationdate=NOW() WHERE id='$cid'") or die ('error ' . mysql_error());
I have been using the block of code below to supposedly stop sql injections. It is something someone showed me when I first started php(which was not that long ago)
I place it in every page just as shown on the open. I am wondering if it is effective? I do not know how to test for sql injections
<?php
//Start the session
session_start();
//=======================open connection
include ('lib/dbconfig.php');
//===============This stops SQL Injection in POST vars
foreach ($_POST as $key => $value) {
$_POST[$key] = mysql_real_escape_string($value);
}
foreach ($_GET as $key => $value) {
$_GET[$key] = mysql_real_escape_string($value);
}
My typical insert and update queries look like this
$insert = ("'$email','$pw','$company', '$co_description', '$categroy', '$url', '$street', '$suite', '$city', '$state', '$zip', '$phone', '$date', '$actkey'");
mysql_query("INSERT INTO provider (email, pw, company, co_description, category, url, street, suite, city, state, zip, phone, regdate, actkey) VALUES ($insert)") or die ('error ' . mysql_error());
mysql_query("UPDATE coupon SET head='$_POST[head]', fineprint='$_POST[fineprint]', exdate='$exdate', creationdate=NOW() WHERE id='$cid'") or die ('error ' . mysql_error());
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
这有点有效,但并不是最理想的——并非所有在 _GET 和 _POST 中收到的数据都会进入数据库。有时您可能想将其显示在页面上,在这种情况下 mysql_real_escape_string 只会造成伤害(相反,您需要 htmlentities)。
我的经验法则是仅在将某些内容放入需要转义的上下文之前立即对其进行转义。
在这种情况下,您最好只使用参数化查询——然后转义就会自动完成。
That's somewhat effective, but it's suboptimal -- not all of the data you receive in _GET and _POST will go into the database. Sometimes you might want to display it on the page instead, in which case mysql_real_escape_string can only hurt (instead, you'd want htmlentities).
My rule of thumb is to only escape something immediately before putting it into the context in which it needs to be escaped.
In this context, you'd be better of just using parameterized queries -- then escaping is done for you automatically.
这还不够。
1. 你缺少 cookies,$_COOKIE 变量。
2. 如果你使用$_REQUEST,你就有麻烦了。
3.您没有显示您的查询,当您将其放入查询中时,必须用单引号 '' 将每个变量引起来(特别是当数据假设为整数时,您可能认为在这种情况下不需要引号,但这将是一个很大的错误)。
4. 您的查询中使用的数据可能来自其他来源。
最好的方法是使用数据绑定并让驱动程序自动转义数据,这在 PDO 扩展中可用。
示例代码:
您还可以使用字符串键绑定数据:
如果您想学习 PDO,您可能会发现我使用的这些辅助函数很有用:
http://www.gosu.pl/var/PDO.txt
每个获取数据的函数都接受第二个参数参数数组(可选),用于针对 sql 自动数据绑定注射。它的使用已在本文前面介绍过。
This is not enough.
1. You're missing cookies, $_COOKIE variable.
2. If you use $_REQUEST you're in trouble.
3. You didn't show your queries, you must enquote each variable with single quotes '' when you put it into query (especiall when the data is supposted to be an integer and you might think that quote is not necessary in that case, but that would be a big mistake).
4. Data used in your query could come from other source.
The best way is to use data binding and have the data escaped automatically by the driver, this is available in PDO extension.
Example code:
You can also bind data using string keys:
If you want to learn PDO, you might find useful these helper functions I use:
http://www.gosu.pl/var/PDO.txt
Each of functions that fetch data accept as 2nd argument parameters array (which is optional), used for automatic data binding against sql injections. Use of it has been presented earlier in this post.
有点儿。
mysql_real_escape_string
函数获取给定变量并对其进行转义以用于 SQL 查询。因此,您可以安全地将字符串附加到查询中,例如它不会保护您免受有人将恶意代码放入该查询中以供稍后显示(即 XSS 或类似攻击)。因此,如果有人将变量设置为
该查询将按您的预期执行,但现在在您打印此人姓名的任何页面上,他的脚本都将执行。
Kind of.
The
mysql_real_escape_string
function takes the given variable and escapes it for SQL queries. So you can safely append the string into a query likeIt does NOT protect you against someone putting malicious code into that query to be displayed later (i.e. XSS or similar attack). So if someone sets a variable to be
That query will execute as you expect, but now on any page where you print this guy's name, his script will execute.
这是完全错误的做法。
事实上,您正在模仿臭名昭著的魔术引言,这被认为是一种不好的做法。尽管它有缺点和危险。
This is completely WRONG approach.
In fact, you are mimicking infamous magic quotes, which is acknowledged as a bad practice. With all it's faults and dangers.
这并不是为了防止 SQL 注入,真正的转义方法只是将 \ 添加到
像“或 ' 这样的危险字符,因此带有“hi”do'like”的字符串将变成“hi\”do\'like\”,因此
危险性较小
此方法并不总是有用;如果您想
在页面中显示转义变量的内容,它只会破坏它并使其可读性降低
this is not to prevent SQL Injection the real escape method only add \ to the dangerous
characters like " or ' so a string with "hi"do'like" will become "hi\"do\'like\" so it is
less dangerous
this method is not always usefull ; in case you want to display the content of tha escaped
variable in a page it will only destroy it and make it less readable