mysql_real_escape_string对Anti SQL注入是否足够?
[英]Is mysql_real_escape_string enough to Anti SQL Injection?
问题描述
In PHP Manual, there is a note: 
在PHP手册中,有一个注释:
Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.
Is this enough to anti sql injection? 这足以反sql注入吗? If not, could you give an example and a good solution to anti sql injection? 如果没有,你能举一个例子和一个很好的解决方案来反sql注入吗?
3 个解决方案
解决方案1
7 已采纳 2010-11-13 05:31:21
mysql_real_escape_string is usually enough to avoid SQL injection. mysql_real_escape_string通常足以避免SQL注入。 This does depend on it being bug free though, ie there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). 这确实取决于它是无bug的,即它有一些很小的未知机会它是脆弱的(但这还没有在现实世界中表现出来)。 A better alternative which completely rules out SQL injections on a conceptual level is prepared statements . 在概念级别上完全排除SQL注入的更好的替代方法是准备语句 。 Both methods entirely depend on your applying them correctly; 这两种方法完全取决于你正确应用它们; ie neither will protect you if you simply mess it up anyway. 也就是说,无论如何你都不会保护你。
解决方案2
0 2010-11-13 05:28:24
据我所知,这是避免SQL注入攻击的可靠方法。
解决方案3
0 2010-11-13 05:30:48
The best solution is PDO . 最好的解决方案是PDO 。
If you're using the traditional mysql_query then running all of your data through mysql_real_escape_string() is enough. 如果您正在使用传统的mysql_query那么通过mysql_real_escape_string()运行所有数据就足够了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.