Sql Injection: is this code safe?
Question
I have an API server, and I need to put all get data into data base
i use this code after connect to database:
foreach ($_GET as $key => $value)
$_GET[$key] = mysql_real_escape_string($value);
Is my code safe?
2 answers
solution1
8 ACCPTED 2013-02-04 22:02:14
No, your code is not safe! Because we do not see how you put your data into your query - that's the most important thing.
You can do so many things wrong, like this:
$sql = "INSERT INTO {$_GET[table]} ({$_GET[column]}) VALUES ('{$_GET[value]}')";
Only the last value is securely escaped, the first two are not!
Also, mysql_real_escape_string() evaluates the encoding setting of an ongoing database connection. Have you connected to the database before? Have you set the encoding?
Last: Do not escape stuff before you really need to. Premature escaping leads to all kind of problems because the pre-escaped data might be used for something else at the same time.
solution2
4 2013-02-04 21:45:17
At the moment it is. But note, all mysql_ functions are deprecated and will be removed from PHP and won't be supported anymore. Which present it's own security hazards.
Consider using
mysqli_real_escape_string
More info
http://php.net/manual/en/function.mysql-real-escape-string.php
Please read red block and note security comment about default charsets. Applies to both functions.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.