Eri*_*ric 0 php mysql sql code-injection
我知道大多数人会对此皱眉头但在我知道PDO语句和转义字符串之前我不确定我应该如何阻止mysql注入.
我创建了一个函数,它接受文本并通过过滤器运行它.我想知道它是否真的会阻止sql注入或者它们是否可以绕过它?我当时的目标是允许用户输入文本并能够在输入时完全显示文本.
除此之外,我还要小心确保用户对数据库的权限不再需要.我是否使用他们的输入来更新或插入新行等.但鉴于我没有,它仍然可以工作?:
function filterInput($textToFilter)
{
if ($textToFilter != null)
{
//a = a
//e = e
//i = i
//o = o
//u = u
//A = A
//E = E
//I = I
//O = O
//U = U
$textToFilter = str_ireplace('insert','insert',$textToFilter);
$textToFilter = str_ireplace('select','select',$textToFilter);
$textToFilter = str_ireplace('values','values',$textToFilter);
$textToFilter = str_ireplace('where','where',$textToFilter);
$textToFilter = str_ireplace('order','order',$textToFilter);
$textToFilter = str_ireplace('into','into',$textToFilter);
$textToFilter = str_ireplace('drop','drop',$textToFilter);
$textToFilter = str_ireplace('delete','delete',$textToFilter);
$textToFilter = str_ireplace('update','update',$textToFilter);
$textToFilter = str_ireplace('set','set',$textToFilter);
$textToFilter = str_ireplace('flush','flush',$textToFilter);
$textToFilter = str_ireplace("'","'",$textToFilter);
$textToFilter = str_ireplace('"',""",$textToFilter);
$textToFilter = str_ireplace(';',";",$textToFilter);
$textToFilter = str_ireplace('>',"›",$textToFilter);
$textToFilter = str_ireplace('<',"‹",$textToFilter);
$textToFilter = nl2br($textToFilter);
$filterInputOutput = $textToFilter;
return $filterInputOutput;
}
}
由于您正在尝试推出自己的"过滤器"功能 - 标准响应是"是的,您是".编写"安全"代码非常困难,而且你基本上都在尝试重新发明轮子,并且这样做的方式很糟糕.
为什么你还可以做到这一点(无意义的)麻烦:
$safe_text = mysql_real_escape_string($badtext);
(或者您的数据库库提供的任何转义功能)并让数据库为您完成所有艰苦的工作?
| 归档时间: |
|
| 查看次数: |
188 次 |
| 最近记录: |