1. 技术文章
  2. When to use mysql_real_escape_string()

When to use mysql_real_escape_string()

会有一股神秘感。 提交于 2019-12-11 06:54:07

问题


When is the correct time to use mysql_real_escape_string?

Should I be using it when I use isset(mysql_escape_string($_GET['param'])),

Should I be using it when I use $foo = mysql_real_escape_string($_GET['bar']);

Thanks


回答1:


You need to call this function when building SQL queries with string literals.
You should not call it anywhere else.

The point of calling this function is to prevent you from executing SQL like SELECT * FROM Students WHERE Name = 'Robert'); DROP TABLE Students;--'.
mysql_real_escape_string will escape the ' character so that the evil string is treated entirely as a string.




回答2:


You should use it whenever you don't trust the data you are inserting in a mysql query to prevent sql injections. For example all user forms data. In your first example: no. Second example: yes, if you are going to use the $foo variable in a query.




回答3:


You should use it whenever you are inserting data into a database query (POST/GET data), but not if you just need to check the data.




回答4:


You use mysql_real_escape_string whenever you have input from a user that you want to use in a query.

Here's how to use it:

$user = mysql_real_escape_string('$_GET['user']);
$password = MD5($user.$_GET['password']);
$query = "SELECT * FROM users WHERE user = '$user' AND password = '$password' ";
//the quotes are vital  !!                 ^     ^  or you will not be safe!

Here's example code that doesn't work:

Broken code 
$user = mysql_real_escape_string('$_GET['user']);
$password = MD5($user.$_GET['password']);
$query = "SELECT * FROM users WHERE user = $user AND password = '$password' ";

In the example I can login into your system by entering any password whatsoever and
user or (1=1) --. This will make the query to read:

SELECT * FROM users WHERE user = user or (1=1) --  AND password = '$password

And will approve all logins because the password never gets checked.

When using mysql_query, you can only ever execute one SQL-statement at a time, so:

$query = "SELECT * FROM a; DELETE FROM a WHERE (1=1)"
mysql_query($query);

Will result in an error, because cannot be a part after the ;.

This code however will work:

Danger

$query = "SELECT * FROM a; DELETE FROM a WHERE (1=1)"
mysqli_query($query);

Because the improved mysqli_query does allow two or more statements to be executed in one go.



来源:https://stackoverflow.com/questions/6243845/when-to-use-mysql-real-escape-string

标签
php
mysql
code-injection
mysql-real-escape-string
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!