php 清理 Mysql 数据库输入的函数
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9144414/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
function to sanitize input to Mysql database
提问by crmepham
I am trying to put a general purpose function together that will sanitize input to a Mysql database. So far this is what I have:
我正在尝试将一个通用函数放在一起,以清理 Mysql 数据库的输入。到目前为止,这就是我所拥有的:
function sanitize($input){
if(get_magic_quotes_qpc($input)){
$input = trim($input); // get rid of white space left and right
$input = htmlentities($input); // convert symbols to html entities
return $input;
} else {
$input = htmlentities($input); // convert symbols to html entities
$input = addslashes($input); // server doesn't add slashes, so we will add them to escape ',",\,NULL
$input = mysql_real_escape_string($input); // escapes \x00, \n, \r, \, ', " and \x1a
return $input;
}
}
If i understood the definition of get_magic_quotes_qpc(). This is set by the php server to automatically escape characters instead of needing to use addslashes().
如果我理解get_magic_quotes_qpc(). 这是由 php 服务器设置的,用于自动转义字符,而不需要使用addslashes().
Have I used addslashes()and mysql_real_escape_string()correctly together and is there anything else I could add to increase the sanitization.
我有没有正确使用addslashes()和mysql_real_escape_string()正确地一起使用,还有什么我可以添加来增加消毒的。
Thanks
谢谢
回答by Bill Karwin
htmlentities() is unnecessary to make data safe for SQL. It's used when echoing data values to HTML output, to avoid XSS vulnerabilities. That's also an important security issue you need to be mindful of, but it's not related to SQL.
htmlentities() 不需要为 SQL 确保数据安全。它在将数据值回显到 HTML 输出时使用,以避免 XSS 漏洞。这也是您需要注意的一个重要安全问题,但它与 SQL 无关。
addslashes() is redundant with mysql_real_escape_string. You'll end up with literal backslashes in your strings in the database.
addlashes() 与 mysql_real_escape_string 是多余的。您最终会在数据库中的字符串中使用文字反斜杠。
Don't use magic quotes. This feature has been deprecated for many years. Don't deploy PHP code to an environment where magic quotes is enabled. If it's enabled, turn it off. If it's a hosted environment and they won't turn off magic quotes, get a new hosting provider.
不要使用魔术引号。此功能已被弃用多年。不要将 PHP 代码部署到启用了魔术引号的环境中。如果已启用,请将其关闭。如果它是托管环境并且他们不会关闭魔术引号,请获取新的托管服务提供商。
Don't use ext/mysql. It doesn't support query parameters, transactions, or OO usage.
不要使用ext/mysql. 它不支持查询参数、事务或 OO 用法。
Update: ext/mysqlwas deprecated in PHP 5.5.0 (2013-06-20), and removed in PHP 7.0.0 (2015-12-03). You really can't use it.
更新:ext/mysql在 PHP 5.5.0 (2013-06-20) 中被弃用,并在 PHP 7.0.0 (2015-12-03) 中被移除。你真的不能用。
Use PDO, and make your queries safer by using prepared queries.
For more details about writing safe SQL, read my presentation SQL Injection Myths and Fallacies.
有关编写安全 SQL 的更多详细信息,请阅读我的演示文稿SQL 注入神话和谬误。
回答by Vyktor
Magic quotes are deprecated. Turn them off if you can :).
魔术引号已弃用。如果可以,请关闭它们:)。
The second part addslashesand mysql_real_escape_Stringdoes pretty much the same (similar) thing. Just try
第二部分addslashes和mysql_real_escape_String做几乎相同(相似)的事情。你试一试
addslashes( '\')
// and
mysql_real_escape_string( '\')
Result should be \\so if you use
结果应该是\\这样,如果你使用
mysql_real_escape_string( addslashes( '\'))
you should get \\(or '\\\\'as string). Use only mysql_real_escape_string(better) OR addslashes, never both.
你应该得到\\(或'\\\\'作为字符串)。仅使用mysql_real_escape_string(更好) OR addslashes,切勿同时使用。
I recommend to use PDOinstead of raw functions and manual escaping.
我建议使用PDO而不是原始函数和手动转义。
回答by Emil Vikstr?m
Why do you want to apply htmlentities before saving data to the database? What if you want to use the data for something else than just writing it out to a browser? For example for searching, partitioning data, using the data in other programming languages, etc...
为什么要在将数据保存到数据库之前应用 htmlentities?如果您想将数据用于其他用途,而不仅仅是将其写入浏览器,该怎么办?例如用于搜索、分区数据、使用其他编程语言中的数据等...
The only thing you really want to apply is mysql_real_escape_string (or use PDO), nothing else.
你唯一真正想要应用的是 mysql_real_escape_string (或使用PDO),没有别的。
I usually prefer to undo the effects of magic quotes entirely, always. Magic quotes is just cumbersome to work with and should never have been invented. Here's a snippet from the PHP manualto reverse the magic quotes:
我通常更喜欢完全撤消魔术引号的效果,总是。魔术引号使用起来很麻烦,不应该被发明。这是PHP 手册中的一个片段,用于反转魔术引号:
if (get_magic_quotes_gpc()) {
$process = array(&$_GET, &$_POST, &$_COOKIE, &$_REQUEST);
while (list($key, $val) = each($process)) {
foreach ($val as $k => $v) {
unset($process[$key][$k]);
if (is_array($v)) {
$process[$key][stripslashes($k)] = $v;
$process[] = &$process[$key][stripslashes($k)];
} else {
$process[$key][stripslashes($k)] = stripslashes($v);
}
}
}
unset($process);
}
回答by Your Common Sense
the worst part that adding slashes does not sanitize anything, no matter what function was used.
and it should not be used in the means of whatever "sanitization" at all.
最糟糕的是,无论使用什么功能,添加斜杠都不会清理任何东西。
并且根本不应该以任何“消毒”的方式使用它。
slashes do not "sanitize" data. Slashes do escape string delimitersonly. Thus, the only sanitization you can talk of, is escaping and and quoting.
斜线不会“清理”数据。斜线只能转义字符串分隔符。因此,您可以谈论的唯一清理方法是转义和引用。
Otherwise, if you won't put quotes around "sanitized" string, you will have no protection at all.
否则,如果您不在“已清理”字符串周围加上引号,您将根本没有任何保护。
回答by Frederick Marcoux
Use:
用:
mysql_real_escape_string()
This will prevent bad data like DROP TABLE ;)
这将防止像 DROP TABLE 这样的坏数据;)
