dongying3830 2014-10-29 06:30
浏览 79

Php正则表达式是否可以安全地将数据插入数据库?

I'm inserting data to db with following validation where I only accept ' and & and @ and .. After that I'm using mysqli_real_escape_string($var).

So I see it's output is : 

I\'m a good boy &@ is it secure var for input to DB.

My Questions :

1) Is there any security issues will appear if I accept ' and & and @ and . ?
2) If it's not security issues then it's insert \ to db. Is it problem to store data with backslash ?
3) If it's not a problem for security then in user panel data is showing with \. So is it need to escape with stripslashes($var);?

My validation: 

$var = "I'm a good boy &@ is it secure var for input to DB.";

if(preg_match("/^[a-zA-Z0-9.'&@ ]+$/", $var) !== 1)
    echo "var is NOT OK.<br/>";
else
    echo "var is ok.<br/>";

mysqli_real_escape_string($link, $var);
  • 写回答

1条回答 默认 最新

  • doudeng2025 2014-10-29 06:38
    关注

    1. Is there any security issues will appear if I accept ' and & and @ and . ?
      There will be security issues as a single quote (') is used for SQL Injection

    2. If it's not security issues then it's insert \ to db. Is it problem to store data with backslash ?
      No, there is no problem with storing the data with backslashes, that's how escaping works.

    3. If it's not a problem for security then in user panel data is showing with . So is it need to escape with stripslashes($var);?
      Yes, it will cause a problem among display as single quotes will be escaped using a backslash, to display it without a backslash, you can use stripslashes()

    All these problems and questions you're mentioning can be simply ignored if you start using prepared statements as it requires no escaping whatsoever, so your database will be SQL Injection-free, there will be no backslashes making your output look bad.

    评论

报告相同问题?