堆栈内存溢出
  简体   繁体   English

这是防止SQL注入的好方法吗

[英]Is this a good way for SQL injection prevention

 原文  2015-03-27 16:45:43       javascript/ php/ mysql/ pdo/ sql-injection

问题描述

i have read many things here about how to prevent SQL injection also on other website and forums. 我在其他网站和论坛上也读过很多有关如何防止SQL注入的内容。 Only thing is thats it makes me really confused on the way how to protect your website when writing stuff to the database. 唯一的问题就是,这使我对将内容写入数据库时​​如何保护您的网站的方式感到非常困惑。

I'm creating as schol project something where there alot of input from the users wil be writte to the database, i'm currently check them by javascript if they contains iligal char. 我正在创建一个Schol项目,其中一些来自用户的输入将被写入数据库,我目前正在通过javascript检查它们是否包含iligal char。 Then i use ajax to activate my controller, use the query in my model send it back to the view. 然后我使用ajax激活我的控制器,在模型中使用查询将其发送回视图。

But lets go on on my problem. 但是,让我们继续我的问题。

If i validate a input first with javascript, (client-side), then server side with PHP. 如果我首先使用javascript(客户端)验证输入,然后使用PHP验证服务器端。 If i first check in php if the input contains iligal char like * '' `` > <, that kind of things. 如果我首先在php中检查输入是否包含* *``> <这样的非法字符,那就是这种事情。 What you whould use in a query for geting information from the database. 您在查询中将用于从数据库中获取信息的内容。 Then escape the whitescpases since i don't want to have things with spaces on the website as users input. 然后逃脱whitescpases,因为我不想在用户输入时在网站上放置空格。

Then use mysqli_real_escape_string() on the input. 然后在输入上使用mysqli_real_escape_string() Then send it to the query that will looks like this. 然后将其发送到如下所示的查询。 

/**
* @param string
* @param string
* @return mixed
*/
public function updateUsername($oldUsername, $newUsername) {
    return $this->_db->query("UPDATE `users` SET `username` = :new_username WHERE `username` = :old_username",
        [':new_username' => $newUsername,':old_username' => $oldUsername]);
}

So 1 > Check using javascript 所以1>使用javascript检查
2 > Check by php on char like * < > ' # 2>通过php在char上进行检查,例如* <>'#
3 > using mysqli_real_escape_string() 3>使用mysqli_real_escape_string()
4 > To the PDO query 4>转到PDO查询

Is this a good way for prefending SQL injection, i really don't want to send my school project live in the air with SQL injection haha. 这是假装SQL注入的好方法,我真的不想让我的学校项目随SQL注入一起直播。

Greetz, 格蕾兹

Also many thanks for reading my long story 也非常感谢您阅读我的长篇小说

1 个解决方案

解决方案1
 2 已采纳  2015-03-27 17:12:48

  1. No. Banning characters prevents people from using them and there are often valid reasons to use them. 不能。禁止字符会阻止人们使用它们,并且经常有充分的理由使用它们。 If it makes no sense for the characters to appear in the data, then you can filter them to help keep the data sane. 如果字符没有必要出现在数据中,则可以对其进行过滤以帮助使数据保持理智。 Don't do it as a security measure. 请勿将其作为安全措施。
  2. Ditto 同上
  3. No. Parametrised queries are better. 否。参数化查询更好。
  4. Yes, but not in combination with mysqli_real_escape_string since you shouldn't mix APIs and if you used both you would double escape things and put \\ characters in your data. 是的,但是不能与mysqli_real_escape_string结合使用,因为您不应该混合使用API​​,如果同时使用这两个API,则会使转义字符加倍,并在数据中添加\\字符。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Wordpress上的Javascript注入预防 - Javascript Injection prevention on Wordpress 使用Javascript防止WebSQL注入 - WebSQL injection prevention with Javascript 文本框的 Javascript 注入攻击预防 - Javascript injection attack prevention for textboxes JavaScript NoSQL 注射预防 MongoDB - JavaScript NoSQL Injection prevention in MongoDB 使用Javascript或C#防止SQL注入的最佳方法? - Best Way to Prevent SQL Injection Using Javascript or C#? 哪种方法可以用sql绑定10000条以上的记录? - Which is good way to bind more than 10000 records with sql? Sequelize: SQL 在findOne中注入? - Sequelize: SQL injection in findOne? 验证网址的好方法 - a good way to validate the URL 闭包(好方法书) - Closure (the good way book) 这是禁用滚动的好方法吗? - Is this a good way to disable scrolling?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM