^mysql_real_escape_string的好有关问题-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

^mysql_real_escape_string的好有关问题

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 am 10:12 AM

escapemysqlstring

^-^mysql_real_escape_string的好问题
大家伙们都经常用mysql_real_escape_string,我有个疑问，这个函数是不是只有开了mysql扩展才能用，如果我用的是oracle数据库呢。我没开mysql_real_escape_string,我怎么办。

我查了一下php.net，有如下函数，基本上都是针对每一个数据库的。我的问题：有没有一个通用的mysql_real_escape_string,这个样子的呢？

mysql_real_escape_string
maxdb_real_escape_string
ingres_escape_string
cubrid_real_escape_string
pg_escape_string
mysql_escape_string
maxdb_escape_string
dbx_escape_string
db2_escape_string
mysqli_escape_string
sqlite_escape_string

还有一个问题是：mysql_real_escape_string能完全防止SQL注入吗？

------解决方案--------------------
弄明白 mysql_real_escape_string的功效你完全可以用正则之类的方法来实现，至于是不是要装了扩展才能用我不清楚。

第2个问题
mysql_real_escape_string函数转义 SQL 语句中使用的字符串中的特殊字符,不是用来针对SQL注入攻击的.所以你的问题就有答案了.
不能说用了转义就100%的安全，我前段时间看到有说将'转成16进制的，然后到了mysql却能正常识别。当然我自己没去测试过这个说法是否真的可行，但要相信那些骇客每天削尖了脑袋在想这些。

打算最近写个帖子大家一起来讨论这个令人烦恼的问题.
------解决方案--------------------
对于SQL注入我也是最近在关注，其实并不会比你知道的多，所以希望写个帖子和大家讨论一下，欢迎来指点。

这里有一个据说是dz的

$magic_quotes_gpc = get_magic_quotes_gpc();
@extract(daddslashes($_COOKIE));
@extract(daddslashes($_POST));
@extract(daddslashes($_GET));
if(!$magic_quotes_gpc) {
$_FILES = daddslashes($_FILES);
}

function daddslashes($string, $force = 0) {
if(!$GLOBALS['magic_quotes_gpc'] || $force) {
if(is_array($string)) {
foreach($string as $key => $val) {
$string[$key] = daddslashes($val, $force);
}
} else {
$string = addslashes($string);
}
}
return $string;
}
echo daddslashes('jafoakfok*&%^:"');

还有别人写的

function str_filter($str){
$str=htmlspecialchars($str);
if(!get_magic_quotes_gpc()){
$str=addslashes($str);
}
//过滤危险字符
return preg_replace("/[\"\'=]|(and)|(or)|(create)|(update)|(alter)|(delete)|(insert)|(count)|(%20)|(char)/i","",$str);
}

网上应该还蛮多的.
------解决方案--------------------
mysql的不适用sqlite，sqlite的不适用mysql。
------解决方案--------------------

探讨
我查了一下php.net，有如下函数，基本上都是针对每一个数据库的。我的问题：有没有一个通用的mysql_real_escape_string,这个样子的呢？

还有一个问题是：mysql_real_escape_string能完全防止SQL注入吗？

------解决方案--------------------
親 PDO::Quote 就是加引號而已...哈哈哈不是額外贈送.

------解决方案--------------------
PDO::Quote
mysql_real_escape_string

都是对特殊字符进行转义
不同的是：后者只针对 mysql，前者可用于所有的数据库
注意不同的数据库对于特殊字符和转义后的结果是不同的

至于 PDO::Quote 会奉送一对单引号，是有他的考虑的
这个函数会在动态绑定时被内部调用。而被预处理的 SQL 表达式中的参数是不需要用单引号括起的。但传递给数据库的 SQL 指令却是要有的

------解决方案--------------------
也不竟然

PHP code

$db = new PDO('mysql:dbname=test');$ar = array( 'aa', "b'b", 123);$ar = array_map(array($db, 'Quote'), $ar);echo join(',', $ar);<br><font color="#e78608">------解决方案--------------------</font><br>mysql_real_escape_string和其它普通escape函数的不同点在于它是编码安全的,会根据你的cient编码<br>(用mysql_set_charset设定编码)来分析字串而不是全当ansi处理<br><br>PDO::Quote加引号是因为在prepare的时候一般写成:<br>WHERE calories 这样,字串由quote根据变量类型加上引号,而非字串不会加<br><font color="#e78608">------解决方案--------------------</font><br>这问题贴讨论的有意思。<br><font color="#e78608">------解决方案--------------------</font><br><br>据说在新的之前，set xxx. 记不清了，新版本有设定字符的方法，以前所有方案已不推荐。<br><br>mysql_real_escape_string是是编码安全的， 安全级别最高。比addslash之类的都高。 它是编码安全的。<div class="clear">
                 
              
              
        
            </div>

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP Email: Step-by-Step Sending GuideMay 09, 2025 am 12:14 AM

PHPisusedforsendingemailsduetoitsintegrationwithservermailservicesandexternalSMTPproviders,automatingnotificationsandmarketingcampaigns.1)SetupyourPHPenvironmentwithawebserverandPHP,ensuringthemailfunctionisenabled.2)UseabasicscriptwithPHP'smailfunct

How to Send Email via PHP: Examples & CodeMay 09, 2025 am 12:13 AM

The best way to send emails is to use the PHPMailer library. 1) Using the mail() function is simple but unreliable, which may cause emails to enter spam or cannot be delivered. 2) PHPMailer provides better control and reliability, and supports HTML mail, attachments and SMTP authentication. 3) Make sure SMTP settings are configured correctly and encryption (such as STARTTLS or SSL/TLS) is used to enhance security. 4) For large amounts of emails, consider using a mail queue system to optimize performance.

Advanced PHP Email: Custom Headers & FeaturesMay 09, 2025 am 12:13 AM

CustomheadersandadvancedfeaturesinPHPemailenhancefunctionalityandreliability.1)Customheadersaddmetadatafortrackingandcategorization.2)HTMLemailsallowformattingandinteractivity.3)AttachmentscanbesentusinglibrarieslikePHPMailer.4)SMTPauthenticationimpr

Guide to Sending Emails with PHP & SMTPMay 09, 2025 am 12:06 AM

Sending mail using PHP and SMTP can be achieved through the PHPMailer library. 1) Install and configure PHPMailer, 2) Set SMTP server details, 3) Define the email content, 4) Send emails and handle errors. Use this method to ensure the reliability and security of emails.

What is the best way to send an email using PHP?May 08, 2025 am 12:21 AM

ThebestapproachforsendingemailsinPHPisusingthePHPMailerlibraryduetoitsreliability,featurerichness,andeaseofuse.PHPMailersupportsSMTP,providesdetailederrorhandling,allowssendingHTMLandplaintextemails,supportsattachments,andenhancessecurity.Foroptimalu

Best Practices for Dependency Injection in PHPMay 08, 2025 am 12:21 AM

The reason for using Dependency Injection (DI) is that it promotes loose coupling, testability, and maintainability of the code. 1) Use constructor to inject dependencies, 2) Avoid using service locators, 3) Use dependency injection containers to manage dependencies, 4) Improve testability through injecting dependencies, 5) Avoid over-injection dependencies, 6) Consider the impact of DI on performance.

PHP performance tuning tips and tricksMay 08, 2025 am 12:20 AM

PHPperformancetuningiscrucialbecauseitenhancesspeedandefficiency,whicharevitalforwebapplications.1)CachingwithAPCureducesdatabaseloadandimprovesresponsetimes.2)Optimizingdatabasequeriesbyselectingnecessarycolumnsandusingindexingspeedsupdataretrieval.

PHP Email Security: Best Practices for Sending EmailsMay 08, 2025 am 12:16 AM

ThebestpracticesforsendingemailssecurelyinPHPinclude:1)UsingsecureconfigurationswithSMTPandSTARTTLSencryption,2)Validatingandsanitizinginputstopreventinjectionattacks,3)EncryptingsensitivedatawithinemailsusingOpenSSL,4)Properlyhandlingemailheaderstoa

See all articles