什么时候需要mysql_real_escape_string()?
[英]When mysql_real_escape_string() is needed?
问题描述
是否仅在登录页面或登录后的每个mysql_query需要带sprintf mysql_real_escape_string()才能防止SQL注入?
4 个解决方案
解决方案1
6 2010-01-06 18:40:07
You should use mysql_real_escape_string() every time you insert user-posted data into a query, or use a database wrapper like PDO that can do prepared statements. 
每次将用户发布的数据插入查询时,都应该使用mysql_real_escape_string(),或者使用可以执行预备语句的数据库包装器(如PDO) 。 That would be better, because they do the job of sanitizing for you. 这样会更好,因为它们会为您消毒。
If you are working on the overall security of your site, this is great and definitely necessary. 如果您致力于网站的整体安全性,那将是非常好的,而且绝对是必要的。 If you are looking for reasons why your site was hacked, though, I doubt this was done through a SQL injection, as your actual HTML code was affected (or so I thought, I may be wrong). 但是,如果您正在寻找网站被黑的原因,我怀疑这是通过SQL注入完成的,因为您的实际HTML代码受到了影响(或者我认为我可能是错的)。 This would be only possible if you had your FTP password stored somewhere in the database. 仅当您将FTP密码存储在数据库中的某个位置时,这才有可能。
解决方案2
5 已采纳 2010-01-06 18:40:59
对于将通过SQL查询运行的任何用户提供的数据,都应使用mysql_real_escape_string。
解决方案3
3 2010-01-06 18:41:48
Use it when you do not trust the input . 当您不信任输入时使用它。 And never trust a user input. 永远不要相信用户的输入。
解决方案4
-1 2012-06-12 16:08:58
In any instance that you accept user input, you should use mysqli_real_escape_string on it before sending it to the database. 在任何接受用户输入的情况下,都应在将其发送到数据库之前对其使用mysqli_real_escape_string 。 It is a good idea to use trim() on the input as well. 最好在输入上也使用trim() 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.