Community Learn Tools Library Leisure

English

Home > Backend Development > PHP Tutorial > 如何安全过滤用户提交的数据提交到数据库

如何安全过滤用户提交的数据提交到数据库

WBOY

Release： 2016-06-06 20:49:56

Original

1097 people have browsed it

sql注入总是无孔不入（ps：' or 1=1#），该如何安全的过滤好呢（我用的php和mysql_connect）?

回复内容：

sql注入总是无孔不入（ps：' or 1=1#），该如何安全的过滤好呢（我用的php和mysql_connect）?

可以使用 mysql_real_escape_string() 对字符串进行转义，然后再放进 SQL。

<code class="lang-php">$name = mysql_real_escape_string($_POST['name']);
mysql_query('SELECT * FROM `users` WHERE `name` = "'.$name.'"');

//改进版。防 SQL 注入，同时屏蔽 _ 和 % 字符
function escape($str) {
  $str = mysql_real_escape_string($str);
  $str = str_replace(['_', '%'], ['\\_', '\\%'], $str);
  return $str;
}

</code>

Copy after login

这里有官方介绍：http://www.php.net/manual/zh/function.mysql-real-escape-string.php

个人建议还是使用一个WEB框架，常见的WEB框架都有完善的防注入机制。
例如：
简单、快速入门的：CodeIgniter
功能更全面的：Yii (这个官网有时会被墙）

<code>select * from users where name = @name
</code>

Copy after login

参数化查询（Parameterized Query 或 Parameterized Statement）是访问数据库时，在需要填入数值或数据的地方，使用参数 (Parameter) 来给值。

在使用参数化查询的情况下，数据库服务器不会将参数的内容视为SQL指令的一部份来处理，而是在数据库完成SQL指令的编译后，才套用参数运行，因此就算参数中含有指令，也不会被数据库运行。Access、SQL Server、MySQL、SQLite等常用数据库都支持参数化查询。

Related labels：

mysql php

source：php.cn

Previous article：sphinx 如何统计数量？ Next article：请教：关于移动app后端接口多版本的策略

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Latest Articles by Author

What is a NullPointerException, and how do I fix it?

2024-10-22 09:46:29
From Novice to Coder: Your Journey Begins with C Fundamentals

2024-10-13 13:53:41
Unlocking Web Development with PHP: A Beginner's Guide

2024-10-12 12:15:51
Demystifying C: A Clear and Simple Path for New Programmers

2024-10-11 22:47:31
Unlock Your Coding Potential: C Programming for Absolute Beginners

2024-10-11 19:36:51
Unleash Your Inner Programmer: C for Absolute Beginners

2024-10-11 15:50:41
Automate Your Life with C: Scripts and Tools for Beginners

2024-10-11 15:07:41
PHP Made Easy: Your First Steps in Web Development

2024-10-11 14:21:21
Build Anything with Python: A Beginner's Guide to Unleashing Your Creativity

2024-10-11 12:59:11
The Key to Coding: Unlocking the Power of Python for Beginners

2024-10-11 12:17:31

Latest Issues

How to display only the lowest value from a result set (MYSQL) I have the following statement: selectDATE(recieved_on)asDay,round(count(*)/24)AS'average'...

From 2024-04-06 21:44:19

0

1

603

Calculate the sum of fields in another table using MySQL SQL query I have a schema like this: User table with attributes "user_id" and "userna...

From 2024-04-06 19:39:29

0

1

441

MySQL: "Select text from... as <variable here or subquery>" I have the following table with the following data: id text language 1 german text german ...

From 2024-04-06 19:25:54

0

2

529

How to group and count in MySQL? I'm trying to write a query that extracts the total number of undeleted messages sent to f...

From 2024-04-06 18:30:17

0

1

353

MySQL gets data from multiple tables I have a eg_design table which contains the following columns: and eg_domains table which ...

From 2024-04-06 18:42:44

0

2

479

Related Topics

More>

Popular Recommendations

Popular Tutorials

More>

Related Tutorials

Popular Recommendations

Latest courses

Latest Downloads

More>

Web Effects

Website Source Code

Website Materials

Front End Template