dqdmvg7332 2012-03-11 07:04
浏览 40
已采纳

整数的filter_input和mysqli_real_escape_string

I'm developing a simple PHP database application for internal use but would like to code it to best practices. Some of my pages are receiving integer values from GET requests and I'm just wondering how much validation and sanitation is really required.

Currently I'm using $num = filter_input(INPUT_GET, 'num', FILTER_VALIDATE_INT, $num_options); with specified min and max values. From here I'm exiting with an error message if $num == false

Is it necessary to also use $mysqli->real_escape_string($num);

Currently I am not bothering because I think it's quite hard to do SQL injection using an integer...

Thanks,

Kevin

UPDATE: To clarify the query I'm doing looks like this

$sql = "SELECT employeeID, concat(FirstName, ' ', LastName) as Name FROM employee WHERE employeeID='$num'";
  • 写回答

2条回答 默认 最新

  • dqk94069 2012-03-11 07:17
    关注

    Like many other PHP users you are taking escaping wrong. You taking it as a some sort of magic wand which makes some "evil characters" "safe".
    This is wrong idea.
    though prepared statements can be taken as a sort of such a magic wand, escaping is not a synonym for "SQL injection protection". It is a merely string syntax rule - no more, no less.

    Is it necessary to also use $mysqli->real_escape_string($num);

    It is irrelevant question.
    To escape or not to escape decision have to be bound to SQL, not to the data source or any validations:

    • real_escape_string() have to be used for the sql strings, i.e. parts of the query enclosed in quotes. Have to be used unconditionally, despite of whatever previous manipulations.
    • For the any other part of the query real_escape_string() being completely useless.

    An explanation:
    Data validation rules can be changed.
    While SQL building rules have to be explicit and unconditional. To make a developer never ask himself a question like this.
    In fact, it's completely different matters: data validation and query building. Why keep in mind such details and build the query accordingly? Why not to build the query based on some set of general purpose rules, irrelevant of the data nature at all?

    So, to your question again:

    • if you are adding your data to the query as is, without quotes, real_escape_string() going to be completely useless in this case, but casting/validation become essential.
    • if you are adding your data to the query using prepared statement, real_escape_string() going to be completely useless and even harmful.
    • if you are adding your data to the query in quotes - you ought to do real_escape_string() in this case.
    • it is also worth to mention that if you are adding your data to the query as a part of SQL language - as an identifier or an SQL keyword - real_escape_string() is completely useless too, as well as prepared statement. Whitelisting is your only friend here
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 mmocr的训练错误,结果全为0
  • ¥15 python的qt5界面
  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀