stackoom
  简体   繁体   中英

Can mysql_real_escape_string ALONE prevent all kinds of sql injection ?

 原文  2012-03-22 00:02:25       php/ mysql/ sql/ sql-injection

Question

Possible Duplicate:
SQL injection that gets around mysql_real_escape_string()

I havent seen any valuabe or not outdated info on this. So, there is this question: Does mysql_real_escape_string() FULLY protect against SQL injection? Yet it is very outdated(its from '09), so as of php 5.3 and mysql 5.5 in '12, does it protect fully ?

3 answers

solution1
 11 ACCPTED  2012-03-22 11:30:07

mysql_real_escape_string ALONE can prevent nothing.

Moreover, this function has nothing to do with injections at all.

Whenever you need escaping, you need it despite of "security", but just because it is required by SQL syntax. And where you don't need it, escaping won't help you even a bit.

The usage of this function is simple: when you have to use a quoted string in the query, you have to escape it's contents. Not because of some imaginary "malicious users", but merely to escape these quotes that were used to delimit a string. This is extremely simple rule, yet extremely mistaken by PHP folks.

This is just syntax related function, not security related.

Depending on this function in security matters, believing that it will "secure your database against malicious users" WILL lead you to injection.

A conclusion that you can make yourself:
No, this function is not enough .

Prepared statements is not a silver bullet too. It covers your back for only half of possible cases. See the important addition I made to the famous question for the details

solution2
 4  2012-03-22 00:12:37

long time since I read a blog post about this so it may no longer hold true BUT...

The posts stated that if you had unicode encoded characters in your string they would be missed by real escape string but would be evaluated by mysql engine - alluding to the idea that you could indeed still be open to a well placed injection.

I can't remember the blog post but this question on here is in the same ball-park.

solution3
 0  2012-03-22 00:07:08

Yes. By properly escaping the string using the native mysql escape functions, it's not possible to "break out" and execute a query.

However, a better approach would be to use prepared statements. This will do a number of things. By using prepared statements you take advantage of even more optimization from the database and it will properly escape any data passed in. Take a look at: http://php.net/manual/en/mysqli.prepare.php

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Where to use mysql_real_escape_string to prevent SQL Injection? Sql injection mysql_real_escape_string SQL injection that gets around mysql_real_escape_string() Is mysql_real_escape_string enough to Anti SQL Injection? Avoiding SQL injection using mysql_real_escape_string and stripslashes mysql_real_escape_string : Is it enough for database security alone? mysql_real_escape_string for all $_POST Is mysql_real_escape_string enough for preventing HTML injection? Does mysql_real_escape_string() FULLY protect against SQL injection? PHP code vulnerable to SQL injection: how to work with `mysql_real_escape_string()`?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM