<tfoot id='HPT8i'></tfoot>

    1. <small id='HPT8i'></small><noframes id='HPT8i'>

          <bdo id='HPT8i'></bdo><ul id='HPT8i'></ul>
        <legend id='HPT8i'><style id='HPT8i'><dir id='HPT8i'><q id='HPT8i'></q></dir></style></legend>
        <i id='HPT8i'><tr id='HPT8i'><dt id='HPT8i'><q id='HPT8i'><span id='HPT8i'><b id='HPT8i'><form id='HPT8i'><ins id='HPT8i'></ins><ul id='HPT8i'></ul><sub id='HPT8i'></sub></form><legend id='HPT8i'></legend><bdo id='HPT8i'><pre id='HPT8i'><center id='HPT8i'></center></pre></bdo></b><th id='HPT8i'></th></span></q></dt></tr></i><div id='HPT8i'><tfoot id='HPT8i'></tfoot><dl id='HPT8i'><fieldset id='HPT8i'></fieldset></dl></div>
      1. 使用 sql 转义的动态 mysql 查询与准备好的语句一样安全吗?

        Are dynamic mysql queries with sql escaping just as secure as prepared statements?(使用 sql 转义的动态 mysql 查询与准备好的语句一样安全吗?)
          <legend id='ojsfa'><style id='ojsfa'><dir id='ojsfa'><q id='ojsfa'></q></dir></style></legend>

            <tfoot id='ojsfa'></tfoot>
              <tbody id='ojsfa'></tbody>

          1. <i id='ojsfa'><tr id='ojsfa'><dt id='ojsfa'><q id='ojsfa'><span id='ojsfa'><b id='ojsfa'><form id='ojsfa'><ins id='ojsfa'></ins><ul id='ojsfa'></ul><sub id='ojsfa'></sub></form><legend id='ojsfa'></legend><bdo id='ojsfa'><pre id='ojsfa'><center id='ojsfa'></center></pre></bdo></b><th id='ojsfa'></th></span></q></dt></tr></i><div id='ojsfa'><tfoot id='ojsfa'></tfoot><dl id='ojsfa'><fieldset id='ojsfa'></fieldset></dl></div>
              <bdo id='ojsfa'></bdo><ul id='ojsfa'></ul>
            • <small id='ojsfa'></small><noframes id='ojsfa'>

                • 本文介绍了使用 sql 转义的动态 mysql 查询与准备好的语句一样安全吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着跟版网的小编来一起学习吧!



                  我有一个应用程序,它可以通过将动态 mysql 查询与 mysql (mysqli) 真实转义字符串结合使用而受益匪浅.如果我通过 mysql real escape 运行从用户那里收到的所有数据,它会和使用 mysql 准备好的语句一样安全吗?

                  I have an application which would greatly benefit by using dynamic mysql queries in combination with mysql (mysqli) real escape string. If I ran all data received from the user through mysql real escape would it be just as secure as using mysql prepared statements?



                  虽然标题中的问题含糊不清,可以被解释为动态 mysql 查询是否具有每个部分格式正确...",因此得到肯定的回答,正文中的问题不是:

                  Definitely NO.

                  While question in the title is ambiguous and can be interpreted as "Are dynamic mysql queries with every it's part properly formatted..." and thus have a positive answer, the question in the body is not:

                  如果我通过 mysql real escape 运行从用户那里收到的所有数据,它会和使用 mysql 准备好的语句一样安全吗?

                  If I ran all data received from the user through mysql real escape would it be just as secure as using mysql prepared statements?


                  If you look to this question closer, you will understand that this is just a magic quotes incarnation! The very purpose of this disgraced, deprecated and removed feature is exactly to "run all user input through escape".
                  Everyone knows nowadays that magic quotes are bad. Why positive answer then?


                  Okay, it seems that it needs to be explained again, why bulk escaping is bad.


                  The root of the problem is a quite strong delusion, shared by almost every PHP user:
                  Everyone have a strange belief that escaping do something on "dangerous characters" (what are they?) making them "safe" (how?). Needless to say that it's but a complete rubbish.


                  • 逃避不会净化"任何东西.
                  • 转义与注射无关.
                  • 转义与用户输入无关.

                  当你需要它时 - 尽管有注射的可能性,你仍然需要它.
                  当您不需要它时 - 它对防止注射甚至一点帮助都无济于事.

                  Escaping is merely a string formatting and nothing else.
                  When you need it - you need it despite of injection possibility.
                  When you don't need it - it won't help against injection even a little.


                  Speaking of difference with prepared statements, there is at least one issue (which already mentioned many times under sql-injection tag):
                  a code like this

                  $clean = mysql_real_escape_string($_POST['some_dangerous_variable']);
                  $query = "SELECT * FROM someTable WHERE somevalue = $clean";


                  will help you NOT against injection.
                  Beause escaping is just a string formatting facility, not injection preventer by any means.
                  Go figure.


                  However, escaping have something in common with prepared statements:
                  Them both doesn't guarantee you from injection if

                  • 您仅针对臭名昭著的用户输入"使用它,而不是构建任何查询的严格规则,尽管有数据源.
                  • 以防您需要插入的不是数据而是标识符或关键字.

                  为了在这些情况下安全,请参阅我的解释完整的 sql 注入保护方法

                  To be safe in these circumstances, see my answer explaining FULL sql injection protection how-to

                  长话短说:只有在您对初始声明进行 2 次必要更正和一次补充时,您才能认为自己是安全的:

                  Long story short: you can consider yourself safe only if you make 2 essential corrections and one addition to your initial statement:

                  如果我运行所有从用户接收到的数据通过mysql真正的转义并且总是用引号将它括起来(并且,正如ircmaxell提到的,mysqli_set_charset() 用于使 mysqli_real_escape string() 真正发挥作用(在这种罕见的情况下使用一些奇怪的编码,如 GBK))它会像使用 mysql 准备好的语句一样安全吗?

                  If I ran all data received from the user through mysql real escape and always enclose it in quotes (and, as ircmaxell mentioned, mysqli_set_charset() is used to make mysqli_real_escape string() actually do it's work (in such a rare occasion of using some odd encoding like GBK)) would it be just as secure as using mysql prepared statements?

                  遵循这些规则 - 是的,它将与本机准备好的语句一样安全.

                  Following these rules - yes, it would be as secure as native prepared statements.

                  这篇关于使用 sql 转义的动态 mysql 查询与准备好的语句一样安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!



                  Can#39;t Create Entity Data Model - using MySql and EF6(无法创建实体数据模型 - 使用 MySql 和 EF6)
                  MySQL select with CONCAT condition(MySQL选择与CONCAT条件)
                  Capitalize first letter of each word, in existing table(将现有表格中每个单词的首字母大写)
                  How to retrieve SQL result column value using column name in Python?(如何在 Python 中使用列名检索 SQL 结果列值?)
                  Update row with data from another row in the same table(使用同一表中另一行的数据更新行)
                  Exporting results of a Mysql query to excel?(将 Mysql 查询的结果导出到 excel?)
                    <tbody id='0TK0a'></tbody>
                  <tfoot id='0TK0a'></tfoot>

                    • <legend id='0TK0a'><style id='0TK0a'><dir id='0TK0a'><q id='0TK0a'></q></dir></style></legend>
                      • <bdo id='0TK0a'></bdo><ul id='0TK0a'></ul>

                        <small id='0TK0a'></small><noframes id='0TK0a'>

                            <i id='0TK0a'><tr id='0TK0a'><dt id='0TK0a'><q id='0TK0a'><span id='0TK0a'><b id='0TK0a'><form id='0TK0a'><ins id='0TK0a'></ins><ul id='0TK0a'></ul><sub id='0TK0a'></sub></form><legend id='0TK0a'></legend><bdo id='0TK0a'><pre id='0TK0a'><center id='0TK0a'></center></pre></bdo></b><th id='0TK0a'></th></span></q></dt></tr></i><div id='0TK0a'><tfoot id='0TK0a'></tfoot><dl id='0TK0a'><fieldset id='0TK0a'></fieldset></dl></div>