php mysqli_real_escape_string 安全吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/22304930/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Is mysqli_real_escape_string safe?
提问by Rosamunda
I′m new in PHP and I′ve realised that my database connection, using a php form (with user and pass text inputs) was totally unsafe:
我是 PHP 新手,我意识到我的数据库连接,使用 php 表单(带有用户和传递文本输入)是完全不安全的:
This was working, but was unsafe:
这是有效的,但不安全:
<?php
$link=mysqli_connect('localhost','xx','xx','xx');
$sql=' SELECT * FROM usuarios
WHERE username="'.$_POST['usuario'].'"
AND pass="'.$_POST['usuario'].'"
';
$rs=mysqli_query($link,$sql);
mysqli_close($link);
?>
So, I′ve read about mysqli_real_escape_string, and decided to try it out:
所以,我已经阅读了 mysqli_real_escape_string,并决定尝试一下:
<?php
$link=mysqli_connect('localhost','xx','xx','xx');
$usuario=mysqli_real_escape_string($link, $_POST["usuario"]);
$clave=mysqli_real_escape_string($link, $_POST["clave"]);
$sql=' SELECT * FROM usuarios
WHERE username="'.$usuario.'"
AND pass="'.$clave.'"
';
$rs=mysqli_query($link,$sql);
mysqli_close($link);
?>
Is this correct? Is this a good example of how to use mysqli_real_escape_string?
这样对吗?这是如何使用 mysqli_real_escape_string 的一个很好的例子吗?
回答by Your Common Sense
Is this correct?
这样对吗?
Yes.
是的。
Is this a good example of how to use mysqli_real_escape_string?
这是如何使用 mysqli_real_escape_string 的一个很好的例子吗?
NO
不
If ever used, this function have to be encapsulated into some inner processing, and never have to be called right from the application code. A placeholderhave to be used instead, to represent data in your query:
如果曾经使用过,这个函数必须被封装到一些内部处理中,并且永远不必从应用程序代码中直接调用。一个占位符必须用来代替,来表示你的查询数据:
$sql='SELECT * FROM usuarios WHERE username=? AND pass=?';
And then, upon processing placeholder marks, this function maybe applied (if applicable) but not by itself but along ALL the formatting rules.
然后,在处理占位符标记,此功能可以被应用(如适用),但不是本身,而是沿所有格式规则。
回答by Aartsie
Yes you will use it save now.
是的,您现在将使用它保存。
The nice thing about using mysqli is that it is Object oriented. So you can use it like this:
使用 mysqli 的好处是它是面向对象的。所以你可以像这样使用它:
<?php
$mysqli = new mysqli("host", "user", "password", "database");
$usuario = $mysqli->real_escape_string($_POST["usuario"]);
$clave = $mysqli->real_escape_string($_POST["clave"]);
$sql=' SELECT * FROM usuarios
WHERE username="'.$usuario.'"
AND pass="'.$clave.'"
';
$mysqli->query($sql);
$mysqli->close();
?>
Or you can use PDO.
或者您可以使用 PDO。
回答by Ermir
The use of mysqli() functions should only be reserved for framework developers and others who are aware of all the safety issues it can bring. For everyone else, there's PDO. It's just as easy to use as mysqli(), and far safer.
mysqli() 函数的使用应该只留给框架开发人员和其他意识到它可能带来的所有安全问题的人。对于其他人,有PDO。它和 mysqli() 一样容易使用,而且更安全。
