php mysql 防注入
使用 mysql_real_escape_string 防注入

注意事项:

1、It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters. 

2、If you are only testing, then you may as well use mysql_escape_string(), it's not 100% guaranteed against SQL injection attacks, but it's impossible to build anything safer without a DB connection.

3、If you must change the character set of the connection, use the mysql_set_character_set() function rather than executing a SET NAMES (or SET CHARACTER SET) statement. mysql_set_character_set() works like SET NAMES but also affects the character set used by mysql_real_escape_string(), which SET NAMES does not.


性能方面:

mysql_real_escape_string 依赖于链接,需要获取链接字符集,理论上只需要获取一次就够了,不需要服务器做额外的事情,因此和mysql_escape_string 相差无几,可以通过测试验证;(未验证,如有验证过的同学,可以回复下)

已验证:验证方法,建立mysql链接后,sleep几秒,断开网络,mysql_real_escape_string 依然可以执行,因此不依赖服务器做额外工作


set names 改变编码不可取,因为不会相应的改变mysql链接的编码,使得mysql_real_escape_string使用的字符集错误,造成潜在的安全漏洞


参考资料

https://stackoverflow.com/questions/1162491/alternative-to-mysql-real-escape-string-without-connecting-to-db

https://dev.mysql.com/doc/refman/5.5/en/mysql-real-escape-string.html

阅读更多
个人分类: php
想对作者说点什么? 我来说一句

没有更多推荐了,返回首页

不良信息举报

php mysql 防注入

最多只允许输入30个字

加入CSDN,享受更精准的内容推荐,与500万程序员共同成长!
关闭
关闭