参数charset为utf-8时,在PHP中使用addlashes是否安全?
[英]Is it safe using addslashes in php when parameter charset is utf-8?
问题描述
I have read many post talk about addslashes is not safe for SQL injection, but they all refer same example using GBK encoding. 
我读过许多关于addlashes对于SQL注入都不安全的文章,但是它们都使用GBK编码引用相同的示例。 So my question is: Is it safe using addslashes() to prevent SQL injection in php when parameter charset is utf-8? 所以我的问题是:当参数charset为utf-8时,使用addslashes()防止在PHP中进行SQL注入是否安全?
1 个解决方案
解决方案1
2 2016-05-11 11:24:39
In fact, there are two questions in one. 实际上,有两个问题合而为一。 And so it's better to voice them separately. 因此,最好分别给它们发声。
For the question 对于这个问题
Is it safe using addslashes() if charset is utf8?
The answer is YES, it is safe. 答案是肯定的,这很安全。
Taken by itself, with isolated example, addslashes can produce a safe sequence to be used in the SQL string literal if your charset is utf8 . 如果单独使用一个单独的示例,如果您的字符集为utf8 ,则添加斜线可以产生一个安全序列以用于SQL字符串文字。
However, taken as a protection measure, intended, as it is commonly used, to "process all the input data to make it safe" it is proven to be fatally insecure. 但是,作为一种保护措施,通常被用来“处理所有输入数据以使其安全”,这被证明是绝对不安全的。 Which for the question 哪个问题
Is it safe using addslashes() to prevent SQL injection
makes it the only answer: 使其成为唯一答案:
NO WAY! 没门!
Simply because that this honest function has nothing to do with protection from any injections. 仅仅因为这种诚实的功能与防止任何注射无关。 And never has been. 从来没有。
What you have to understand, is that the main threat is coming not from the semi-mythical GBK vulnerability, but entirely from the misuse of this function. 您必须了解的主要威胁不是半神秘的GBK漏洞,而是完全由滥用此功能引起的。 As it's just not intended to protect you from injections. 因为它并不是要保护您免受注射伤害。 The topic of protection is much more complex than simple string escaping. 保护的主题比简单的字符串转义要复杂得多。
The problem is that there are a lot of rules to keep in mind . 问题是要记住很多规则 。 And there are a lot of points of possible failure. 还有很多可能的失败点。
For these reasons, a simple string escaping just cannot be considered as an all-embracing protection rule. 出于这些原因,简单的字符串转义不能视为全方位的保护规则。
From this point of view, parametrized queries, although not offering the 100% protection, can be considered a WAY better measure anyway, eliminating three most dangerous threats: 从这个角度来看,参数化查询虽然不提供100%的保护,但无论如何都可以认为是一种更好的方法,可以消除三种最危险的威胁:
- because numbers also covered, there is no way to inject via numeric literal 因为数字也包含在内,所以无法通过数字文字注入
- because of complete formatting, a wrongly escaped identifier becomes not a breach but a development stage error. 由于格式完整,错误地转义的标识符不是违规,而是开发阶段错误。
- because of automated formatting, a human error is eliminated 由于自动格式化,消除了人为错误
The above these three reasons I consider enough for changing your approach. 以上我认为这三个理由足以改变您的方法。
Besides, properly implemented parametrized queries make your code DRAMATICALLY cleaner. 此外,正确实现的参数化查询可以使您的代码更加整洁。 Give me your addslashes-based code snippet, and I'll show you how to make it 3-5 times shorter and cleaner. 给我您的基于addlashes的代码段,我将向您展示如何使其缩短3-5倍且更简洁。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.