"mysqli_real_escape_string" 是否足以避免 SQL 注入或其他 SQL 攻击?
Is "mysqli_real_escape_string" enough to avoid SQL injection or other SQL attacks?
这是我的代码:
$email= mysqli_real_escape_string($db_con,$_POST['email']);
$psw= mysqli_real_escape_string($db_con,$_POST['psw']);
$query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$email."','".$psw."')";
有人可以告诉我它是否安全,或者它是否容易受到 SQL 注入攻击或其他 SQL 攻击?
Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ?
没有。如uri2x所说,见SQL injection that gets around mysql_real_escape_string()。
The best way to prevent SQL injection is to use prepared statements. They separate the data (your parameters) from the instructions (the SQL query string) and doesn't leave any room for the data to contaminate the structure of your query. Prepared statements solve one of the fundamental problems of application security.
对于不能使用准备好的语句的情况(例如LIMIT),为每个特定目的使用非常严格的白名单是保证安全的唯一方法。
// This is a string literal whitelist
switch ($sortby) {
case 'column_b':
case 'col_c':
// If it literally matches here, it's safe to use
break;
default:
$sortby = 'rowid';
}
// Only numeric characters will pass through this part of the code thanks to type casting
$start = (int) $start;
$howmany = (int) $howmany;
if ($start < 0) {
$start = 0;
}
if ($howmany < 1) {
$howmany = 1;
}
// The actual query execution
$stmt = $db->prepare(
"SELECT * FROM table WHERE col = ? ORDER BY {$sortby} ASC LIMIT {$start}, {$howmany}"
);
$stmt->execute(['value']);
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);
我假设上述代码不受 SQL 注入的影响,即使在模糊的边缘情况下也是如此。如果您使用的是 MySQL,请确保关闭模拟准备。
$db->setAttribute(\PDO::ATTR_EMULATE_PREPARES, false);
这是我的代码:
$email= mysqli_real_escape_string($db_con,$_POST['email']);
$psw= mysqli_real_escape_string($db_con,$_POST['psw']);
$query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$email."','".$psw."')";
有人可以告诉我它是否安全,或者它是否容易受到 SQL 注入攻击或其他 SQL 攻击?
Could someone tell me if it is secure or if it is vulnerable to the SQL Injection attack or other SQL attacks ?
没有。如uri2x所说,见SQL injection that gets around mysql_real_escape_string()。
The best way to prevent SQL injection is to use prepared statements. They separate the data (your parameters) from the instructions (the SQL query string) and doesn't leave any room for the data to contaminate the structure of your query. Prepared statements solve one of the fundamental problems of application security.
对于不能使用准备好的语句的情况(例如LIMIT),为每个特定目的使用非常严格的白名单是保证安全的唯一方法。
// This is a string literal whitelist
switch ($sortby) {
case 'column_b':
case 'col_c':
// If it literally matches here, it's safe to use
break;
default:
$sortby = 'rowid';
}
// Only numeric characters will pass through this part of the code thanks to type casting
$start = (int) $start;
$howmany = (int) $howmany;
if ($start < 0) {
$start = 0;
}
if ($howmany < 1) {
$howmany = 1;
}
// The actual query execution
$stmt = $db->prepare(
"SELECT * FROM table WHERE col = ? ORDER BY {$sortby} ASC LIMIT {$start}, {$howmany}"
);
$stmt->execute(['value']);
$data = $stmt->fetchAll(PDO::FETCH_ASSOC);
我假设上述代码不受 SQL 注入的影响,即使在模糊的边缘情况下也是如此。如果您使用的是 MySQL,请确保关闭模拟准备。
$db->setAttribute(\PDO::ATTR_EMULATE_PREPARES, false);