说我有一个表单发送数据HTTP POST到PHP文件。我在输入框中输入以下内容,并提交表单:
Hello,Jimmy O'Toole说。如果您在收到此POST数据的PHP页面上打印/回显输入,则会显示为Jimmy O \'Toole说:
\Hello \这是令人困惑的一点。如果我将这个输入字符串放入(My)SQL并执行它,它将进入数据库(因为引号被转义),但会停止SQL注入?
如果我输入输入字符串,并调用类似 mysqli real_escape_string ,它出现如下:
\\Hello\\ Jimmy O说,所以当它通过(My)SQL进入数据库时,它最终如下:
\Hello \,Jimmy O \'Toole说。这显然有太多斜杠。
所以如果输入通过HTTP POST作为转义,你是否必须再次转义,以使(My)SQL安全吗?或者我只是看不到有什么明显的东西?
提前感谢任何帮助。
解决方案啊,魔术报价的奇迹啊。它使您的POST表单中不必要的转义。您应该禁用(或中和)他们,并且您的许多头痛消失。以下是一个示例性文章: www.sitepoint/blogs/2005/03/02/magic-quotes-headaches/
概述:禁用魔术报价,使用 real_escape_string()。
One thing that's always confused me is input escaping and whether or not you're protected from attacks like SQL injection.
Say I have a form which sends data using HTTP POST to a PHP file. I type the following in an input field and submit the form:
"Hello", said Jimmy O'Toole.If you print/echo the input on the PHP page that receives this POST data, it comes out as:
\"Hello\", said Jimmy O\'Toole.This is the point where it gets confusing. If I put this input string into (My)SQL and execute it, it'll go into the database fine (since quotes are escaped), but would that stop SQL injection?
If I take the input string and call something like mysqli real_escape_string on it, it comes out like this:
\\"Hello\\", said Jimmy O\\'Toole.So when it goes into the database via (My)SQL, it ends up as:
\"Hello\", said Jimmy O\'Toole.This obviously has too many slashes.
So if the input comes through HTTP POST as escaped, do you have to escape it again to make it safe for (My)SQL? Or am I just not seeing something obvious here?
Thanks in advance for any help.
解决方案Ah, the wonders of magic quotes. It is making those unnecessary escapes from your POST forms. You should disable (or neutralize) them, and many of your headaches go away.
Here's an exemplary article of the subject: www.sitepoint/blogs/2005/03/02/magic-quotes-headaches/
Recap: disable magic quotes, use real_escape_string().
更多推荐
了解在PHP中转义的输入
发布评论