所有$ _POST的mysql_real_escape_string
[英]mysql_real_escape_string for all $_POST
问题描述
I have a old system without any check for sql injection and I want to add mysqli_real_escape_string() every time user intract with the DB. 
我有一个旧系统,没有任何检查sql注入的功能,并且我想在用户每次使用数据库时添加mysqli_real_escape_string() 。
All of the system is built under index.php. 所有系统都在index.php下构建。 the page look like that: 该页面如下所示:
if (!isset($_GET['p'])) {
$_GET['p'] = 'main';
}
if (!file_exists($_GET['p'].".php")) {
echo "The page you are looking for isn't exist.";
} else {
if (logs()) {
include($_GET['p'].".php");
}
else {
include('not_register.php');
}
}
I thought of just adding this code in the top oh index.php and I wanted to be sure I'm not messing up with anything so i'm asking here. 我想只是在top哦index.php添加此代码,我想确保自己不会弄乱任何东西,所以我在这里问。
foreach ($_POST as $name => $val) {
$_POST[$name] = mysqli_real_escape_string($db, $val);
}
This code running every reload of page will have any negative influence? 这段代码在每次重新加载页面时都会产生负面影响吗?
thx. 谢谢。
2 个解决方案
解决方案1
2 2014-03-22 10:32:28
This: 这个:
I want to add mysql_real_escape_string() every time user intract with the DB.
Is a good goal for legacy mysql code that is using mysql_* functions. 对于使用mysql_ *函数的旧版mysql代码,这是一个好目标。 However, this: 但是,这:
foreach ($_POST as $name => $val) { $_POST[$name] = mysqli_real_escape_string($db, $val);
is a different thing. 是另一回事。 You're not adding it to every time user interacts with DB, you're adding it done every time, before anything else has been done. 您并没有将它添加到用户每次与数据库交互时,而是每次都添加它,然后再进行其他操作。 The function needs a connection to the database, so if you don't have such a connection in a page that uses these variables, you immediately hit into issues. 该函数需要与数据库的连接,因此,如果在使用这些变量的页面中没有这样的连接,则会立即遇到问题。 Furthermore, you can break any handling of those variables that might not expect the values to be escaped at this point - they should be escaped for DB usage, so immediately before using them with the database, not before that. 此外,您可以中断对这些变量的任何处理,这些变量可能不希望此时转义这些值-对于数据库使用应转义它们,因此应在将其与数据库一起使用之前而不是在此之前进行转义。
Also, as others have noted, your code is vulnerable to injections with your include pattern. 而且,正如其他人指出的那样,您的代码很容易受到包含模式的注入的影响。 file_exists can be used with network shares, file paths as well as some url wrappers. file_exists可以与网络共享,文件路径以及某些URL包装器一起使用。 To quote file_exists manual entry : 引用file_exists手动输入 :
As of PHP 5.0.0, this function can also be used with some URL wrappers.
Even without url wrappers, a malicious user can use your include to directly include some server configs and other files you don't want to be included. 即使没有url包装,恶意用户也可以使用您的include直接包含某些服务器配置和您不想包含的其他文件。
解决方案2
-1 2014-03-22 10:49:30
First. 第一。
Running this question an a loop will help noone. 循环运行此问题将无济于事。 In fact, you just reinvented a notorious magic quotes feature, that is already removed from the language. 实际上,您只是重新发明了一个臭名昭著的魔术引号功能,该功能已从该语言中删除。 For a reason. 因为某种原因。
Second. 第二。
It is NOT good goal for legacy mysql code that is using mysql_* functions. 对于使用mysql_ *函数的旧版mysql代码而言,这不是一个好目标。 Just because this function has nothing to do with injections at all. 仅仅因为此功能与注入完全无关。
If you have only 25 pages - just review them all and rewrite SQL handling code properly 如果只有25页,则只需复查它们并正确重写SQL处理代码
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.