Given 1000s mysql queries in string format, could there be a way to analyze and remove any SQL injections from these strings before running the query?
one idea i had was to check the string for common words/phrases that are used in an sql injection which are never used in the application running the queries. If found, don't run the query and alert the admins.
分享 mySQL encourages the use of mysql_real_escape_string to sanitize queries.
Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query(). If binary data is to be inserted, this function must be used.
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, , , \, ', " and \x1a.
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
PS: Here's a good answer to the addslashes/mysql_real_escape_string debate: http://www.sitepoint.com/forums/showthread.php?337881-addslashes()-vs-mysql_real_escape_string()...the-final-debate&s=7cabb6e5fd909f2c787d47cd01471dfb&p=2439889&viewfull=1#post2439889
分享
