可能重复:
mysql_real_escape_string((和mysql_escape/string((是否足以保证应用程序的安全性?
我是PHP的新手,我想确定一下。如果我使用mysql_real_sescape_string进行用户生成的输入(变量(,那么查询不会被黑客入侵吗?
示例脚本:
// Getting Unique ID
$sql = "select `Person_id` from `accounts` where `username` = '$username'";
$query = mysql_query($sql) or die ("Error: ".mysql_error());
while ($row = mysql_fetch_array($query)){
$pid = $row['Person_ID'];
}
mysql_free_result($query);
$username = mysql_real_escape_string($_POST['Username']);
$newname = mysql_real_escape_string($_POST['Full_name']);
$newgender = mysql_real_escape_string($_POST['Patient_gender']);
$newmonth = mysql_real_escape_string($_POST['Month']);
$newday = mysql_real_escape_string($_POST['Day']);
$newyear = mysql_real_escape_string($_POST['Year']);
$newacctss = mysql_real_escape_string($_POST['Acct_SS']);
$newaddress = mysql_real_escape_string($_POST['Address']);
$newaddress2 = mysql_real_escape_string($_POST['Address2']);
$newcity = mysql_real_escape_string($_POST['City']);
$newstate = mysql_real_escape_string($_POST['State']);
$newzipcode = mysql_real_escape_string($_POST['Zip_code']);
$newhomephone = mysql_real_escape_string($_POST['Home_phone']);
$newcellphone = mysql_real_escape_string($_POST['Cell_phone']);
$neworkphone = mysql_real_escape_string($_POST['Work_phone']);
$newsure = mysql_real_escape_string($_POST['Sure']);
$newfav = mysql_real_escape_string($_POST['Favorite']);
$newcars = mysql_real_escape_string($_POST['Cars']);
$newdrinks = mysql_real_escape_string($_POST['Drinks']);
$newmoi = mysql_real_escape_string($_POST['About_moi']);
//Update Name Only
$sql = "UPDATE accounts SET `full_name` = '$newname' WHERE Username = '$username'";
$query1 = mysql_query($sql) or die ("Error: ".mysql_error());
//Everything else being udpated here
$sql2 = "UPDATE profile SET `Patient_gender` = '$newgender',
`Month` = '$newmonth', `Day` = '$newday', `Year` = '$newyear',
`Acct_SS` = '$newacctssn', `Address` = '$newaddress',
`Address2` = '$newaddress2', `City` = '$newcity', `State` = '$newstate',
`Zip_code` = '$newzipcode', `Home_phone` = '$newhomephone',
`Cell_phone` = '$cellphone', `Work_phone` = '$neworkphone',
`Sure` = '$newsure', `Favorite` = '$newfav', `Cars` = '$newcars',
`Drinks` = '$newdrinks', `About_moi` = '$newmoi' WHERE Person_id = '$pid'";
$query2 = mysql_query($sql2) or die ("Error: ".mysql_error());
不要使用直接的mysql使用mysqli(注意i(或PDO库,并使用准备好的语句。使用准备好的语句比使用直接查询并在查询字符串中包含变量更安全。
根据PHP文档,mysql将被弃用。它不再是不发达的,应该使用mysqli和PDO扩展。
如果您同时使用引号和mysql_real_eescape_string,那么您是非常安全的。出于其他原因,您可能需要查看PDO或至少是mysqli。