FILTER_VALIDATE_EMAIL是否可以安全地插入数据库中的字符串?
[英]Does FILTER_VALIDATE_EMAIL make a string safe for insertion in database?
问题描述
$str = '"mynam@blabl"@domanin.com';
filter_var($str, FILTER_VALIDATE_EMAIL);//return valid email.
the above email returns true... Fair enough that RFC 2822 says it's a legal email address. 
上面的电子邮件返回true ...足够公平,RFC 2822说这是一个合法的电子邮件地址。
my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var? 我的问题是,如果您使用上述方法验证电子邮件,即使您使用filter_var对其进行过滤,电子邮件也会进行可能损害数据库的SQL注入?
5 个解决方案
解决方案1
4 已采纳 2010-11-11 13:10:44
my question is if you validate an email using the above could an email carry sql injections that can harm the db even though you have filtered it with filter_var?
filter_var is not a replacement for database specific sanitation like mysql_real_escape_string() ! filter_var 不是像mysql_real_escape_string()那样的数据库特定的卫生设施的替代品! One needs to always apply that, too. 人们也需要始终应用它。
解决方案2
2 2010-11-11 13:11:02
Yes - do not rely on anything besides the database specific escaping mechanism for safety from SQL injection. 是的 - 除了数据库特定的转义机制之外,不要依赖于SQL注入的安全性。
Always use mysql_real_escape_string() on it before using it in SQL. 在SQL中使用之前,请始终使用mysql_real_escape_string() 。
解决方案3
1 2013-01-16 00:50:51
I tend to use FILTER_VALIDATE_EMAIL to check if the email is valid and then further down the line if the email needs to be saved into a database I would then strip out the dangerous characters. 我倾向于使用FILTER_VALIDATE_EMAIL检查电子邮件是否有效,然后如果电子邮件需要保存到数据库中,那么我将进一步下线,然后我将删除危险字符。 The mysql and mysqli libraries are pretty much dead in the water too so I would suggest using PDO which is a much safer option. mysql和mysqli库在水中也已经死了,所以我建议使用PDO,这是一个更安全的选择。
http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers
Also, the link below advises what characters are legal in an email address, backticks and single quotes are allowed in email address, hence probably why FILTER_VALIDATE_EMAIL does not pick them up...remember we're looking for invalid email addresses not dangerous email addresses. 此外,下面的链接建议电子邮件地址中哪些字符合法,电子邮件地址中允许使用反引号和单引号,因此可能为什么FILTER_VALIDATE_EMAIL不会选择它们...记住我们正在寻找无效的电子邮件地址而不是危险的电子邮件地址。
Like anything when it comes to any programming language you should always keep security at the top of the list! 就像任何编程语言一样,你应该始终将安全保持在列表的顶部!
http://email.about.com/cs/standards/a/email_addresses.htm http://email.about.com/cs/standards/a/email_addresses.htm
解决方案4
1 2010-11-11 13:35:08
Also, it's not safe anyway. 而且,无论如何它都不安全。 _VALIDATE_EMAIL allows single quotes ' and the backtick ` in it. _VALIDATE_EMAIL允许单引号'和反引号` 。 (But cleansing functions should never be relied on, always context escape or use parameterized SQL.) (但是永远不应该依赖清理函数,总是上下文转义或使用参数化SQL。)
解决方案5
0 2017-08-06 19:49:49
Never use VALIDATE , maybe you can use SANITILIZE but I don't recommend it anyway. 永远不要使用VALIDATE ,也许你可以使用SANITILIZE但我还是不推荐它。
Consider this code: 考虑以下代码:
$email = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
$query = mysqli_query($sql, 'SELECT * FROM table WHERE email = "'.$email.'"');
The basic SQL Injection is " or 1 = 1 , you have already heard about it. But we can't use espaces and we need to end this string with something like @something.com . 基本的SQL注入是" or 1 = 1 ,你已经听说过了。但我们不能使用espaces,我们需要用@something.com这样的字符串来结束这个字符串。
So, we start with " and add or'1'='1' this will work (because or1=1 will fail). Now we need the @email.com , let's add it as a MySQL comment ( --@something.com ). So, this is the result: 因此,我们从"并添加or'1'='1'这将起作用(因为or1=1将失败)。现在我们需要@email.com ,让我们将其添加为MySQL注释( --@something.com )。所以,这是结果:
"or'1'='1'--"@email.com
This is valid email for filter_var and unsafe for mysqli_query . 这是filter_var有效电子邮件,对mysqli_query不安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.