php 这是将表单数据插入 MySQL 数据库的安全方法吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9624292/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is this a secure method to insert form data into a MySQL database?
提问by Miles Pfefferle
Possible Duplicate:
How can I prevent SQL injection in PHP?
可能的重复:
如何防止 PHP 中的 SQL 注入?
This is the example on w3schools.org:
这是 w3schools.org 上的示例:
HTML form:
HTML表单:
<html>
<body>
<form action="insert.php" method="post">
Firstname: <input type="text" name="firstname" />
Lastname: <input type="text" name="lastname" />
Age: <input type="text" name="age" />
<input type="submit" />
</form>
</body>
</html>
File insert.php:
文件insert.php:
<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("my_db", $con);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con)
?>
I've read through other questions on here, but I couldn't find a direct answer, as most were much more complicated.
我已经阅读了此处的其他问题,但找不到直接答案,因为大多数问题要复杂得多。
I looked at How can I prevent SQL injection in PHP?, but I'm a bit confused on how to modify this:
我查看了如何防止 PHP 中的 SQL 注入?,但我对如何修改这个有点困惑:
$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$preparedStatement->execute(array(':column' => $unsafeValue));
Assuming I used the HTML form above and wanted to insert the data from field 'firstname' into the database, should it look like this? Or am I supposed to modify column?:
假设我使用了上面的 HTML 表单并想将字段 'firstname' 中的数据插入到数据库中,它应该是这样的吗?还是我应该修改column?:
$preparedStatement = $db->prepare('INSERT INTO table (column) VALUES (:column)');
$preparedStatement->execute(array(':column' => $firstname));
采纳答案by shaunsantacruz
The example you provided inserts the post vars into the database without first analyzing them for evil user input. Use type casting, escaping/filter functions, prepared statements etc. before using them to interact with your DB.
您提供的示例将 post vars 插入到数据库中,而没有先分析它们是否有恶意的用户输入。在使用类型转换、转义/过滤函数、准备好的语句等与您的数据库交互之前使用它们。
A general rule to go by is to never trust user input. EVER!
要遵循的一般规则是永远不要相信用户输入。曾经!
Check out: Best way to stop SQL Injection in PHP
In response to your question, here is how you'd handle the entire form using PDO prepared statements.
针对您的问题,以下是您如何使用 PDO 准备好的语句处理整个表单。
$stmt = $db->prepare('INSERT INTO Persons (FirstName, LastName, Age) VALUES (:first_name, :last_name, :age)');
$stmt->execute(array(':first_name' => $first_name,':last_name' => $last_name, ':age' => $age));
If you just want to insert one column in the record like you asked, the syntax would be:
如果您只想按照您的要求在记录中插入一列,则语法为:
$stmt = $db->prepare('INSERT INTO Persons (FirstName) VALUES (:first_name)');
$stmt->execute(':first_name', $first_name);
回答by Daniel A. White
NO.
不。
That is HIGHLYvulnerable to sql injection attacks.
这非常容易受到 sql 注入攻击。
Instead of using mysql_real_escape_string, I suggest using prepared statements.
mysql_real_escape_string我建议使用准备好的语句,而不是使用。
回答by yunzen
回答by yehuda
$magic_quotes_active = get_magic_quotes_gpc();
$real_escape_string_exists = function_exists('mysql_real_escape_string');
function escape_value($sql) {
if ($real_escape_string_exists) {
if($magic_quotes_active) {
$sql = stripslashes($sql);
}
$sql = mysql_real_escape_string($sql);
} else {
if(!$magic_quotes_active) {
$sql = addslashes($sql);
}
}
return $sql;
}
This is considered a very secure way to insert stuff into a database. Use the returned $sqlto as your query!
这被认为是一种将内容插入数据库的非常安全的方式。使用返回$sql到作为您的查询!
