如何防止sql注入但保留“和”?
[英]How can i prevent sql injection but keep " and '?
问题描述
How do prevent sql injection in php but still show " and '? A the moment I am using 
如何防止php中的sql注入但仍然显示“和”?我正在使用的那一刻
$input = strip_tags($input);
$input = htmlentities($input);
However the output is \\" and \\'. Is there anyway I can show " and ' without the slashes but keep them there so I don't get injected? 但是输出是\\“和\\'。无论如何,我可以在没有斜杠的情况下显示”和',但将其保留在那儿以便不被注入吗?
4 个解决方案
解决方案1
5 2011-02-06 15:37:17
The method you show is not a proper way to protect against SQL injection! 您显示的方法不是防止SQL注入的正确方法!
Always use the sanitation method provided by the database library you are using, eg mysql_real_escape_string() if you work with the standard mysql library. 如果使用标准mysql库,请始终使用所使用的数据库库提供的卫生方法,例如mysql_real_escape_string() 。 The sanitation method will not alter any characters in the end result. 卫生方法不会更改最终结果中的任何字符。
Alternatively, use prepared statements in PDO or mysqli - those do input sanitation automatically if you bind the incoming data correctly. 或者,在PDO或mysqli中使用准备好的语句-如果正确绑定了传入数据,则这些语句会自动输入卫生条件。
解决方案2
1 2011-02-06 15:36:08
解决方案3
1 已采纳 2011-02-06 15:38:48
First, that code is not stripping backslashes, of course they're still there. 首先,该代码不会去除反斜杠,当然它们仍然存在。 Use stripslashes() to take out backslashes, but DON'T DO IT. 使用stripslashes()取出反斜杠,但不要这样做。 If you see those slashes in the DB, and you HAVE USED mysql_real_escape_string, chances are you have magic_quotes_gpc on, and you're just adding another set of slahses. 如果您在数据库中看到这些斜线,并且已经使用了mysql_real_escape_string,则很可能您启用了magic_quotes_gpc,并且仅添加了另一组slahses。 Remove those auto added first and then apply mysql_real_escape_string, they won't show this way but will still be there and make for a safe use in querying your DB. 删除那些先添加的自动文件,然后应用mysql_real_escape_string,它们不会以这种方式显示,但仍会存在,并可以安全地用于查询数据库。
解决方案4
0 2011-02-06 15:44:28
There is no magic solution for being careless. 没有粗心的魔术解决方案。
Also those slashes alone don't prevent SQL injections. 同样,仅那些斜杠并不能防止SQL注入。 The presence of them indicates another problem, magic_quotes. 它们的存在指示另一个问题magic_quotes。 Magic quotes were a convenience feature in PHP2, never intended as security function. 魔术引号是PHP2中的一项便利功能,从未打算用作安全功能。 (Well accidentially they were secure around 1997 when databases didn't support multibyte charsets). (偶然地,在1997年左右,当数据库不支持多字节字符集时,它们是安全的)。
Anyway, disable magic_quotes. 无论如何,请禁用magic_quotes。 Use manual escaping (mysql_real_escape_string) or better yet the much more convenient prepared statements with PDO. 使用手动转义(mysql_real_escape_string)或更好的PDO使用更方便的预处理语句。
If you want to be lazy, disable magic_quotes still. 如果您想变得懒惰,请仍然禁用magic_quotes。 But use $_GET = array_map("mysql_real_escape_string", $_GET); 但是使用$_GET = array_map("mysql_real_escape_string", $_GET); and do the same for $_POST and $_REQUEST at the start of your scripts and after the database connection was established. 并在脚本开始时和建立数据库连接后对$ _POST和$ _REQUEST进行相同的操作。
And then apply htmlentities(stripslashes($input)) for writing output to ge rid of the extraneous backslashes. 然后应用htmlentities(stripslashes($input))来编写输出,以消除多余的反斜杠。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.