使用quoteInto之后,我可以安全进行SQL注入吗?
[英]After using quoteInto Am I safe from SQL injection?
问题描述
Hello I am using quoteInto in my query like below 
您好,我在我的查询中使用quoteInto ,如下所示
$select->from('users')
->where($adapter->quoteInto('eu.username LIKE ?',"%".$param['name']."%"));
When I pass any thing like 'or -1=-1' or any think like 当我通过“或-1 = -1”或“
' or 1=1--
' or 1--
' or 1
\" or '1'
' or 1=1--
' OR ''='
' or 'a'='a
') or ('a'='a
'; exec master..xp_cmdshell 'ping 10.10.1.2'--
';
When I echo my query, all this stuff is put in LIKE clause of my query. 当我回显查询时,所有这些东西都放在查询的LIKE子句中。 I just want to ask that after quoting my query is safe from sql injection? 我只是想问一下,引用我的查询后可以安全地进行sql注入吗?
1 个解决方案
解决方案1
1 已采纳 2014-02-05 16:57:13
Yes, you are safe from SQL injections by using the db adapter quote functions. 是的,使用db适配器引用函数可以避免SQL注入。
When you use quoteInto Zend will call Zend_Db_Adapter::quote method to escape the value string. 当使用quoteInto Zend将调用Zend_Db_Adapter :: quote方法来转义值字符串。
From Zend Docs:
The quote() method accepts a single argument, a scalar string value.
To make your application safer you should also use Zend_Form with elements utilizing available Zend Filters and Zend Validators . 为了使您的应用程序更安全,还应该将Zend_Form与使用可用Zend过滤器和Zend验证 器的元素一起使用。 Validation of elements will catch the problem and avoid junk database calls and filters will sanitize your data! 元素验证将解决问题并避免垃圾数据库调用,而过滤器将清理您的数据!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.