[英]Is mysql_real_escape_string enough to Anti SQL Injection?
In PHP Manual, there is a note: 在PHP手册中,有一个注释:
Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.
注意:如果此函数不用于转义数据,则查询容易受到SQL注入攻击。
Is this enough to anti sql injection? 这足以反sql注入吗? If not, could you give an example and a good solution to anti sql injection?
如果没有,你能举一个例子和一个很好的解决方案来反sql注入吗?
mysql_real_escape_string
is usually enough to avoid SQL injection. mysql_real_escape_string
通常足以避免SQL注入。 This does depend on it being bug free though, ie there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). 这确实取决于它是无bug的,即它有一些很小的未知机会它是脆弱的(但这还没有在现实世界中表现出来)。 A better alternative which completely rules out SQL injections on a conceptual level is prepared statements .
在概念级别上完全排除SQL注入的更好的替代方法是准备语句 。 Both methods entirely depend on your applying them correctly;
这两种方法完全取决于你正确应用它们; ie neither will protect you if you simply mess it up anyway.
也就是说,无论如何你都不会保护你。
据我所知,这是避免SQL注入攻击的可靠方法。
The best solution is PDO . 最好的解决方案是PDO 。
If you're using the traditional mysql_query
then running all of your data through mysql_real_escape_string()
is enough. 如果您正在使用传统的
mysql_query
那么通过mysql_real_escape_string()
运行所有数据就足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.