在PHP中避免SQL注入最安全的方法是什么?
[英]The safest way to avoid SQL injection in PHP?
问题描述
I just wonder if this line of code is safe to use to avoid SQL injection? 
我只是想知道这行代码是否可以安全使用以避免SQL注入?
// username and password sent from form
$myusername=$_POST['loginUserName'];
$mypassword=$_POST['loginPassword'];
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
Do I need to stripslashes? 我需要条纹吗?
1 个解决方案
解决方案1
8 已采纳 2011-05-06 03:00:31
It's safer to use prepared statements, so that the (potentially malicious) values are separated from the query string, rather than relying on escaping. 使用预准备语句更安全,因此(潜在的恶意)值与查询字符串分开,而不是依赖于转义。 Read about PHP Data Objects . 阅读PHP数据对象 。
Regarding stripslashes() , that should only be necessary if you have PHP's magic_quotes_gpc feature turned on, which you shouldn't because it's deprecated. 关于stripslashes() ,只有在你启用PHP的magic_quotes_gpc功能时才应该这样做 ,你不应该这样做,因为它已被弃用。 If you want to be robust, though, do if (get_magic_quotes_gpc()) $myusername = stripslashes($myusername); 但是,如果你想要健壮,请执行if (get_magic_quotes_gpc()) $myusername = stripslashes($myusername); so that it removes a layer of slashes if and only if one was added. 这样当且仅当添加了一个斜杠时,它才会删除一个斜杠。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.