发表新帖
发表新帖

What do I need to escape when sending a query?

前端 未结
关注
11 1236
执念已碎
执念已碎 2021-01-07 18:01

When you execute a SQL query, you have to clean your strings or users can execute malicious SQL on your website.

I usually just have a function escape_string(blah),

相关标签:
11条回答
  • 借酒劲吻你
    2021-01-07 18:49

    the MySQL C API has it's own mysql_escape_string(). Using it or it's equivalent would be best.

    0 讨论(0)
  • 夕颜
    2021-01-07 18:50

    I am not sure if MySql supports parameterized queries, if so, you should make an effort to go this route. This will ensure the users input can't do anything malicious.

    Otherwise some "bad" characters in addition to what you mentioned would be semicolon (;) and comments (-- and /* */).

    0 讨论(0)
  • 情书的邮戳
    2021-01-07 18:52

    You're better off using prepared statements with placeholders. Are you using PHP, .NET...either way, prepared statements will provide more security, but I could provide a sample.

    0 讨论(0)
  • 小蘑菇
    2021-01-07 18:54

    For maximum security, performance, and correctness use prepared statements. Here's how to do this with lots of examples in different languages, including PHP:

    https://stackoverflow.com/questions/1973/what-is-the-best-way-to-avoid-sql-injection-attacks

    0 讨论(0)
  • 独厮守ぢ
    2021-01-07 18:55

    In MySQL query, when using LIKE, also make sure to escape the "_" characters as it is not escaped by mysql_real_escape_string.

    For reference, check here

    0 讨论(0)
 看不清?
提交回复
热议问题