问题描述
我正在建立一个网站,用户可以在其中使用PHP和mySQL数据库存储代码段.但是我不知道如何安全地将用户输入的代码插入到我的数据库中.我无法使用通常使用的安全"功能(trim
,stripslashes
等)来转换输入,因为重点是您可以查看在数据库中输入的代码.我已经看过my_real_escape_string()
,但是我发现它不能转义%
和_
,它们可以用作MySQL通配符.这会构成威胁吗?还是我可以只使用my_real_escape_string
?提前感谢.
I'm building a website where users can store code snippets, using PHP and a mySQL database. But I can't figure out how to safely insert user inputed code into my database. I can't transform the input with the 'safety' functions I normally use (trim
, stripslashes
, etc.) because the whole point is that you can view the code as it's inputed in the database. I've looked at my_real_escape_string()
but I saw that it does not escape the %
and _
, which can be used as MySQL wildcards. Does that pose a threat, or can I just use my_real_escape_string
? Thanx in advance.
推荐答案
通配符仅在SELECT
查询中使用时才生效,然后仅在使用某些功能时才生效.因此,对于插入代码,最好使用mysql_real_escape_string()
,因为它们无效.
Wildcards only take effect when used in SELECT
queries and then only when using certain functions. So for inserting the code it will be fine to use mysql_real_escape_string()
as they will have no effect.
为使其更好,我建议您使用 PHP PDO ,以便可以使用参数绑定.以下示例来自 PHP手册:
To make it better I would recommend that you use PHPs PDO so that you can use parameter binding. The following example is from the PHP manual:
<?php
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
// insert another row with different values
$name = 'two';
$value = 2;
$stmt->execute();
?>
这篇关于如何安全地在MySQL数据库中插入代码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!