发表新帖
发表新帖

Is mysql_real_escape_string enough to Anti SQL Injection?

后端 未结
关注
3 1397
情书的邮戳
情书的邮戳 2020-12-03 18:32

In PHP Manual, there is a note:

Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.

相关标签:
3条回答
  • 一个人的身影
    2020-12-03 19:16

    As far as i know this is a solid way to avoid SQL Injection attacks.

    0 讨论(0)
  • 萌比男神i
    2020-12-03 19:18

    The best solution is PDO.

    If you're using the traditional mysql_query then running all of your data through mysql_real_escape_string() is enough.

    0 讨论(0)
  • 臣服心动
    2020-12-03 19:21

    mysql_real_escape_string is usually enough to avoid SQL injection. This does depend on it being bug free though, i.e. there's some small unknown chance it is vulnerable (but this hasn't manifested in the real world yet). A better alternative which completely rules out SQL injections on a conceptual level is prepared statements. Both methods entirely depend on your applying them correctly; i.e. neither will protect you if you simply mess it up anyway.

    0 讨论(0)
 看不清?
提交回复
热议问题