Escaping user input from database necessary?

前端 未结 4 1448
逝去的感伤
逝去的感伤 2020-12-28 19:30

So I know about MySQL injection and always escape all my user input before putting it in my database. However I was wondering, imagine a user tries to submit a query to inje

4条回答
  •  有刺的猬
    2020-12-28 20:21

    I'd say that whole idea of this question is wrong.

    You're taking this problem absolutely wrong way.
    One doesn't have to count his queries, if it's first or second or 100th.
    Same goes for the the user input: it doesn't matter, where the data come from!

    Data destination, not source should be your concern. Is this string going to database? Escape it! With no questions. This rule is plain and simple and require no query counting or anything.

    But that's not only fault in your question.
    One:

    Does MySQL automatically escape their output or something like that?

    That's a very bad idea. Funny part, you're fighting with a consequence of the same idea in your code, by applying get_magic_quotes_gpc(). What are these magic quotes if not such automatic escaping?

    Two:
    moreover, using get_magic_quotes_gpc() in your escaping function is a very bad idea again :)

    imagine you have magic quotes on and using your function to protect your "second query". And there is some blob that contain \' sequence in the data. Your function will strip the slash and spoil the data. In fact, stripslashes has absolutely nothing to do with any escaping function. do it separately, on the data where it belongs - on the user input.

    Three:
    mysql_real_escape_string() is not some magic function that "makes everything safe". In fact, to create dynamic mysql query, one have to escape four kinds of data:

    • strings
    • numbers
    • identifiers
    • operators

    while mysql_real_escape_string() escaping only one of them. And your query stand absolutely naked in all three other cases. Funny, eh?

    Most disappointing part: I know that all this ultimate knowledge is in vain and would be read scarcely by few noobs and never change either overall knowledge level of PHP community in general, nor answers quality on SO in particular. :(

提交回复
热议问题