<分区>
我在页面上接收的所有参数上使用 addslashes()。并且还在 mysql 查询中围绕这些变量应用单一法院。这是我的代码:
$string = addslashes($_POST['string']);
$queryString = " INSERT INTO general (description) VALUES ('$string')";
$query = mysql_query($queryString);
和
$queryString = "SELECT description FROM general WHERE description = '".$string."'";
$query = mysql_query($queryString);
这段代码中是否存在 SQL INJECTION 的可能性?
最佳答案
阅读这篇文章:addslashes() Versus mysql_real_escape_string()
摘录:
If I want to attempt an SQL injection attack against a MySQL database, having single quotes escaped with a backslash is a bummer. If you're using addslashes(), however, I'm in luck. All I need to do is inject something like 0xbf27, and addslashes() modifies this to become 0xbf5c27, a valid multi-byte character followed by a single quote. In other words, I can successfully inject a single quote despite your escaping. That's because 0xbf5c is interpreted as a single character
注意:
Please, don't use
mysql_*functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
关于php - addslashes() 是否足够安全以避免 SQL 注入(inject)?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26966056/
相关文章:
php - phpcurl 的 Soap Python 响应中的 NameError
php - 字符编码错误,无法通过 PHP 从 MySQL 写入有效的 XML
java - 使用 Mybatis 检查 SQL 注入(inject)的输入
php - 为什么要使用 ATTR_EMULATE_PREPARES,mysql_real_escape_string 有什么替代品吗?在 PDO 中
php - 如何将 css 类添加到我的示例 php 代码中
mysql - 我如何将社区构建器从 joomla 1.0 迁移到 joomla2.5