转自:http://www.webappsec.org/projects/articles/091007.shtml
mysql_real_escape_string对于防止SQL注入还是不够的。对于某些参数的值来说,用引号包含起来是可以的。但是对于某些,比如columns, tables or databases,这些值不能用引号将值包含起来,鉴于mysql_real_escape_string的仅对有限字符转义,因此这些时候存在隐患。
mysql_real_escape_string() is a necessary, but not sufficient measure. Here are the "checklist" rules one must follow to make sure the dynamic SQL code is not vulnerable to SQL injection:
- Write properly quoted SQL:
- Single quotes around values (string literals and numbers)
- Backtick quotes around identifiers (databases, tables, columns, aliases)
- Properly escape the strings and numbers:
- mysql_real_escape_string() for all values (string literals and numbers)
- intval() for all number values and the numeric parameters of LIMIT
- Escape wildcard/regexp metacharacters (addcslashes('%_') for LIKE, and you better avoid REGEXP/RLIKE)
- If identifiers (columns, tables or databases) or keywords (such as ASC and DESC) are referenced in the script parameters, make sure (and force) their values are chosen only as one of an explicit set of options
- No matter what validation steps you take when processing the user input in your scripts, always do the escaping steps before issuing the query. Validation is not a substitute for escaping!