网站登录是否可以保护网站免受SQL注入?
[英]Will a site login protect a site from SQL Injection?
问题描述
I have secure site with a login before anyone can enter the site and submit any form data. 
我有一个安全的登录网站,然后任何人都可以进入该网站并提交任何表单数据。 Is this secure enough from SQL injection? 从SQL注入是否足够安全?
4 个解决方案
解决方案1
1 2011-11-09 16:33:11
NO! 没有!
It makes it vulnerable (if not done properly. Well as vulnerable as everything after the login). 它使它容易受到攻击(如果操作不正确,那么在登录后也会受到攻击)。
Since hackers can use the form to inject sql. 由于黑客可以使用该表格来注入sql。
A login != slq injection protection. 登录!= slq注入保护。
Sanitizing user input is. 正在清理用户输入。
Use for example: 使用例如:
mysql_real_escape_string()
mysqli_real_escape_string()
pdo's prepared statements
解决方案2
1 已采纳 2011-11-09 16:37:34
NO 没有
SQL Injection has nothing to do with authentication; SQL注入与身份验证无关。 it has to do with the way you sanitize user input. 它与清理用户输入的方式有关。 In other words, a user with perfectly good credentials may have bad intention and decide that he'd want to try and drop your database by entering malicious text on some of your form's fields. 换句话说,具有完全好的凭据的用户可能有恶意,并决定通过在表单的某些字段中输入恶意文本来尝试删除数据库。
On PHP, you can use mysql_real_escape_string() to sanitize your input and form your SQL statements via string concatenation but if you can implement prepared statements (also known as parametrized queries) much better since your query plans may be reused and you gain a performance boost as well. 在PHP上,您可以使用mysql_real_escape_string()清理您的输入并通过字符串连接来形成SQL语句,但是如果您可以更好地实现预备语句 (也称为参数化查询),因为您的查询计划可能会被重用,从而提高性能也一样
解决方案3
0 2011-11-09 16:32:16
Not if the user uses sql injection on your logon form. 如果用户在登录表单上使用sql注入,则不会。 How does the logon form work. 登录表单如何工作。 If it checks using a select then you still need to strip out bad sql etc. 如果使用选择进行检查,那么您仍然需要清除错误的SQL等。
解决方案4
0 2011-11-09 16:44:18
用您的术语来说是“ 祖父悖论” ,如果您的登录确实提供了对sql注入的保护,那么登录页面上的用户就不会登录。顺便说一句,授权/身份验证和sql注入都是无关的事情,所以您的回答是“ 否” 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.