stackoom
  简体   繁体   中英

The safest way to avoid SQL injection in PHP?

 原文  2011-05-06 02:58:45       php/ security/ sql-injection

Question

I just wonder if this line of code is safe to use to avoid SQL injection? 

// username and password sent from form 
$myusername=$_POST['loginUserName']; 
$mypassword=$_POST['loginPassword'];

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

Do I need to stripslashes?

1 answers

solution1
 8 ACCPTED  2011-05-06 03:00:31

It's safer to use prepared statements, so that the (potentially malicious) values are separated from the query string, rather than relying on escaping. Read about PHP Data Objects .

Regarding stripslashes() , that should only be necessary if you have PHP's magic_quotes_gpc feature turned on, which you shouldn't because it's deprecated. If you want to be robust, though, do if (get_magic_quotes_gpc()) $myusername = stripslashes($myusername); so that it removes a layer of slashes if and only if one was added.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question A way of globalising the mysql function to avoid sql injection Best way to avoid code injection in PHP safest way to create sessions in php Avoid SQL injection in registration form php Safest way to parse url for PHP CMS? Safest way to write into /etc from php application? What is the safest way to access CLI program in PHP Safest way to send JSON string to PHP server safest way to cypher an user id on php What is the safest way to share objects PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM