Question

请记住,我仍在学习。我正在一个网站上工作,我只是从现有的网站上调整和复制守则,因为这为我了解这些守则提供了最容易的途径。

我不断发现因使用异热带而产生的q错误,我已着手在每个文本领域(解决了个别问题)的<密码>-mysql_real_einski_string()。

现在,这真的只是我要求帮助。请不要听起来,我真的只是想学习,这是提问的最佳场所,因此:

Is there any way of fixing a general setup that will filter out the apostrophes that interfere? Basically anything that will help the site in general be protected against sql injection? Any help would be greatly appreciated :)

Answer 1

一般性解决办法:所有参数(价值)应通过编制报表的持有人予以通过

rel=“nofollow” http://nz.php.net/manual/en/pdo.prepare.php

Answer 2

是否有办法确定一个能够过滤干扰的外向的普通建筑?

Definitely NO.

很久以前就存在这样的情况,但现在,它却挥之不去,被歪曲和夸大(因为它从未像用意那样做,也没有达到目的)。

The problem you face is coming from the fact that SQL query being a program. So, you have to follow the syntax rules creating this program, just like with any other program language. If you happen to create a PHP program, you have to take care of the irritating apostrophes as well - you can t put it all over the code in random places, but each have to have it s strict syntactical meaning, or - if an apostrophe being part of the data - it have to be properly escaped.

So, it is just syntax issue.
The best way to solve the problem is to separate the code from the data.
Native prepared statements gives you that possibility.
You can create a program - the query itself - and eventually bind some variables to it, so, the program code and the date being sent to the SQL server separately.
That s why prepared statements considered the best way of creating dynamical SQL queries.

但是,当然,你们必须把每个变量都明确地加以约束——因此,没有普遍的方法。

然而,你可以利用一些助手自动地履行具有约束力的义务,因此,该守则变得简明扼要。

$db->run("SELECT * FROM table WHERE id=?",$id);

这样做既短于书面,又完全安全。

Answer 3

使用数据存取层对你来说是比人工保护每个电离参数更好的办法。这不仅是因为它ious笑了,而且因为一个关键的参数最终会消失。

我使用的是 SafeSQL, 当我仍然做过PHP时,它会发现很轻又不侵扰......但如果你重新开门的话,就会把它 p为一件令人生畏的任务。

Definitely NO.

友情链接