dqbhdsec59405 2013-07-26 11:45
浏览 88

空和isset检查中的sql注入漏洞

i am currently working on making my site injection proof and was wondering about the validations i am making, my code goes like this:

if(!empty($_POST['city']) && !empty($_POST['street'])){
  $city = htmlentities(mysql_real_escape_string($_POST['city']));
  $street = htmlentities(mysql_real_escape_string($_POST['street']));   
}

my question is isnt the empty check itself is a vulnerability? i mean do i have to escape string in the !empty validation as well? or it is safe to keep it that way? thanks.

  • 写回答

2条回答 默认 最新

  • doushuangai9733 2013-07-26 11:48
    关注

    For SQL injection you only need to worry when quering the database, so isset is safe.

    There should be no need for htmlentities (use it as protection against XSS).

    mysql_real_escape_string will protect against SQL injection if done correctly, but should not be used at all, since the mysql_ prefix / DB-handler is outdated, deprecated and should not be used at all. The safest way is to use either mysqli_ or PDO, and use prepared statements.

    评论

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题