用于 SQL 注入性能的最佳函数
可能的重复:
在 PHP 中停止 SQL 注入的最佳方法
我想知道哪些函数最适合用来防止 MySQL 注入
我可以使用很多函数来防止 sql 注入,例如:
mysql_real_escape_string
mysqli_real_escape_string
addslashes
- 为数字
htmlentities
转换值(intval 等...) - 使用
ENT_QUOTES
- ,或者直接删除
>'
或"
我想使用最好、更快的反 SQL 注入方法来标准化我的代码,并且我想知道对于高流量网站应该使用哪一种。
Possible Duplicate:
Best way to stop SQL Injection in PHP
I would like to know which functions is best to use to prevent MySQL injections
There are plenny of functions I can use to prevent sql injections, such as:
mysql_real_escape_string
mysqli_real_escape_string
addslashes
- casting values (intval etc...) for numbers
htmlentities
withENT_QUOTES
- or simply remove the
'
or"
I want to standardize my code using the best and faster anti-SQL-injections method and I would like to know which one should I use for high traffic sites.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您不应该使用 htmlentities 将数据保存到数据库,addslashes 不是 100% 安全的(某些字符集仍然可能使其容易受到攻击),使用 mysql_ 或 mysqli_ 取决于您正在使用的驱动程序并且不可互换。基本上,这不是速度或性能的问题 - 唯一正确的做法是使用驱动程序附带的转义函数(pdo::escape 或 mysql[I]_real_escape_string)来处理字符串并将整数/浮点数转换为正确的类型。
You shouldn't use htmlentities for saving data to a database, addslashes isn't 100% secured (some character sets can still make it vulnerable), using mysql_ or mysqli_ is dependent on the driver you're using and not interchangable. Basically, its not a matter of speed or performance - the only right thing to do is using the escape function that comes with your driver (pdo::escape or mysql[I]_real_escape_string) for strings and casting integers/floats to their correct type.
为了给你一个简单的答案,你可以使用 mysql_real_escape_string
http://www .tizag.com/mysqlTutorial/mysql-php-sql-injection.php
http://www.osempire.com/php-injection-attacks-guide
为了给您更好的答案,请尝试阅读 Theo 在 如何防止 PHP 中的 SQL 注入?
我假设您已经在该项目中了。完成后,我建议学习一个新的框架,如 CodeIgniter、Yii 和 CakePHP,以加快开发速度。
To give you a simple answer, you can use mysql_real_escape_string
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php
http://www.osempire.com/php-injection-attacks-guide
To give you a better answer, try reading Theo's answer in How can I prevent SQL injection in PHP?
I assume you are in the middle of the project already. Once you finish, I suggest learning a new framework like CodeIgniter, Yii and CakePHP to speed up development.