通过替换单引号来防止SQL注入

I've read that replacing user input isn't safe for the SQL injection. I would like to know (possibly with an example) what's wrong in something like this (PHP):

function formatsql($testo){
    return str_replace("'", "&#039;", $testo);
}

$username = formatsql($_POST["username"]);
$password = formatsql($_POST["password"]);

$query = "SELECT id FROM utenti WHERE user='$username' AND password='$password'";

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dozug64282 2013-09-04 16:00
关注
I would like to know what's wrong in something like this (PHP)

The idea.

It has been proved to be flawed long time ago.

First of all, this code does alter the data. It is good approach for the abstract musings but it will crash your application in the real life. As a matter of fact, it's unacceptable behavior. However, you could escape your quotes instead of replacing them.

Second, you are (like most of PHP folks) under the delusion that replacing some characters makes your data safe. While it is not. Every PHP user who cares to reinvent a wheel in the field of injection protection always assume that only strings being added to the query. They never realize it explicitly though, nor imagine any other parts exists in SQL query. While such a replacement would be as harmless for any other SQL literal as a chicken. And the very name of your function is a sure proof for my words.
Say, you have a code like this

$limit = formatsql($_POST["limit"]); $query = "SELECT id FROM utenti LIMIT $limit";

which will welcome any script-kiddie to play with your db.

Also, there is a term "user input" in your reasoning, which is a sure sign of the second order injection.

Taking a step further, let's observe two kinds of applications: some sort of silly home page script and relatively big web application. Although your code is quite all right for the former one, in a latter one rules change. Sometimes we can have these two parts of the code

$username = formatsql($_POST["username"]); $password = formatsql($_POST["password"]);

and

$query = "SELECT id FROM utenti WHERE user='$username' AND password='$password'";

dramatically separated from each other. And here we can slip into many and many troubles, such as double escaping, wrong escaping, no escaping at all.

This is why manual escaping has been considered bad practice already long time ago.

Instead, prepared statements have to be used, as they guarantee that

complete formatting applied instead of silly "escaping" or "replacing"

different formatting applied for the different data types.

formatting applied right in place where it have to be - not sooner nor later.

proper formatting applied unconditionally, independently from developer's will or air.

This is why prepared statements considered the only proper way long time ago already.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

通过替换单引号来防止SQL注入 php
2013-09-04 15:11

回答 1 已采纳 I would like to know what's wrong in something like this (PHP) The idea. It has been proved
为什么单引号能防止sql注入？ mysql php web安全
2022-11-03 10:23

回答 3 已采纳首先，单引号不是能防止sql注入，而是过滤掉用户输入部分的单引号能防止sql注入。在很多语言中，单引号都是做字符串引用的，在sql中也是如此，比如'abc'就是个字符串。但是sql中的单引号还有另一个
PreparedStatement防止sql注入的一些疑问? sql
2018-11-08 10:20

回答 1 已采纳 PreparedStatement并不使用字符串拼接来调用参数，所以根本不存在添加单引号一说。再说，添加单引号就不能注入了么？ SELECT * FROM employees WHERE salar
php sql注入 替换,通过替换单引号来防止SQL注入
2021-04-16 15:00

Johann Faust的博客但是，您可以转义引号而不是替换它们。其次，您(就像大多数PHP人员一样)认为替换某些字符会使您的数据安全。虽然不是。每个关心在注射保护领域重新发明轮子的PHP用户总是假设只有字符串被添加到查询中。他们从未明确...
SQLServer 有个字段的值既有单引号又有双引号，如何存储 sql 有问必答
2021-03-16 09:35

回答 5 已采纳 单引号和双引号前面都加上反斜杠就可以
php变量及sql注入问题 php
2022-11-17 15:15

回答 2 已采纳我建议你看看我的第一篇博客
hive怎么拼接单引号 hive sql 大数据
2022-08-02 12:01

回答 7 已采纳不能用拼接，拼接之后用不了in，in是判断左边的字段是否在右边内容(集合)中，拼接的是一个字符串整体，不是集合。 SELECT sku_key,warehouse_key,SUM(quantity)
php+sql+单引号保护,SQL注入备忘录
2021-04-24 11:32

weixin_39614262的博客打好补丁 SQL注入绕过：注入中常注意的编码： %01-%0D特殊字符绕空格 &= 在浏览器Url时要进行URL编码 %26 %3d 查询字符串中不允许有空格，可用%20,+对其编码 Cookie注入时，SQL语句中的分号得编码 单引号过滤 ...
sql注入引号被过滤了怎么注入？ web安全有问必答网络安全
2022-10-31 13:14

回答 4 已采纳拼接上 union select database{}# sql单引号_被过滤了引号的SQL注入如何破？ - 百度文库
sql 插入语句单引号和双引号问题 sql
2015-10-25 12:30

回答 2 已采纳 java拼sql串用双引号，sql语句里用单引号
PHP用双引号替换属性单引号 html php
2013-07-23 19:32

回答 1 已采纳 I realized that PHP's DOMDocument class does this automatically... libxml_use_internal_errors(tr
Sqlite插入单引号和双引号，防止sql注入
2024-04-02 14:25

-凌凌漆-的博客 sqlite3_mprintf替换sprintf, '%q'替换'%s'. 2. 举例修改前代码 //修改前, hello'123写入失败 char sql[1000] char* sql = sprintf("UPDATE table SET name = '%s' WHERE name_id = %d", "hello'123", 1); ...
SQL注入保护 - 单引号[重复] mysql php
2012-10-12 17:10

回答 3 已采纳 Try this input: abc' OR id <> ' it will lead to following statement: "SELECT * FROM `Gam
mysql注入绕过单引号_SQL注入-绕过过滤规则
2021-01-28 05:08

cedar song的博客过滤规则产生的原因前两篇举例了SQL注入Get请求/SQL注入Post请求的案例，都是因为程序要接收用户输入的变量或者URL传递的参数，并且参数或变量会被组成 SQL语句的一部分被执行。这些数据我们统称为外部数据，在安全...
php防止sql注入的方法
2022-02-24 20:01

zhoupenghui168的博客一、什么是SQL注入式攻击? 所谓SQL注入式攻击，就是攻击者把SQL命令插入到Web表单的输入域或页面请求的查询字符串，欺骗服务器执行恶意的SQL命令。在某些表单中，用户输入的内容直接用来构造(或者影响)动态SQL命令...
sql注入详解
2023-05-05 11:46

~Echo的博客 SQL注入（SQL Injection）是一种常见的Web安全漏洞，主要形成的原因是在数据交互中，前端的数据传入到后台处理时，没有做严格的判断，导致其传入的“数据”拼接到SQL语句中后，被当作SQL语句的一部分执行。...
mybatis 防止sql注入原理
2023-01-11 09:34

SamYdd的博客 mybatis 防止sql注入原理
没有解决我的问题, 去提问

悬赏问题

¥15 Llama如何调用shell或者Python
¥20 谁能帮我挨个解读这个php语言编的代码什么意思？
¥15 win10权限管理，限制普通用户使用删除功能
¥15 minnio内存占用过大，内存没被回收（Windows环境）
¥65 抖音咸鱼付款链接转码支付宝
¥15 ubuntu22.04上安装ursim-3.15.8.106339遇到的问题
¥15 blast算法（相关搜索：数据库）
¥15 请问有人会紧聚焦相关的matlab知识嘛？
¥15 网络通信安全解决方案
¥50 yalmip+Gurobi

通过替换单引号来防止SQL注入

1条回答 默认 最新

悬赏问题

1条回答默认最新