通过替换单引号来防止SQL注入

I've read that replacing user input isn't safe for the SQL injection. I would like to know (possibly with an example) what's wrong in something like this (PHP):

function formatsql($testo){
    return str_replace("'", "&#039;", $testo);
}

$username = formatsql($_POST["username"]);
$password = formatsql($_POST["password"]);

$query = "SELECT id FROM utenti WHERE user='$username' AND password='$password'";

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dozug64282 2013-09-04 16:00
关注
I would like to know what's wrong in something like this (PHP)

The idea.

It has been proved to be flawed long time ago.

First of all, this code does alter the data. It is good approach for the abstract musings but it will crash your application in the real life. As a matter of fact, it's unacceptable behavior. However, you could escape your quotes instead of replacing them.

Second, you are (like most of PHP folks) under the delusion that replacing some characters makes your data safe. While it is not. Every PHP user who cares to reinvent a wheel in the field of injection protection always assume that only strings being added to the query. They never realize it explicitly though, nor imagine any other parts exists in SQL query. While such a replacement would be as harmless for any other SQL literal as a chicken. And the very name of your function is a sure proof for my words.
Say, you have a code like this

$limit = formatsql($_POST["limit"]); $query = "SELECT id FROM utenti LIMIT $limit";

which will welcome any script-kiddie to play with your db.

Also, there is a term "user input" in your reasoning, which is a sure sign of the second order injection.

Taking a step further, let's observe two kinds of applications: some sort of silly home page script and relatively big web application. Although your code is quite all right for the former one, in a latter one rules change. Sometimes we can have these two parts of the code

$username = formatsql($_POST["username"]); $password = formatsql($_POST["password"]);

and

$query = "SELECT id FROM utenti WHERE user='$username' AND password='$password'";

dramatically separated from each other. And here we can slip into many and many troubles, such as double escaping, wrong escaping, no escaping at all.

This is why manual escaping has been considered bad practice already long time ago.

Instead, prepared statements have to be used, as they guarantee that

complete formatting applied instead of silly "escaping" or "replacing"

different formatting applied for the different data types.

formatting applied right in place where it have to be - not sooner nor later.

proper formatting applied unconditionally, independently from developer's will or air.

This is why prepared statements considered the only proper way long time ago already.
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

为什么单引号能防止sql注入？ mysql php web安全
2022-11-03 10:23

回答 3 已采纳首先，单引号不是能防止sql注入，而是过滤掉用户输入部分的单引号能防止sql注入。在很多语言中，单引号都是做字符串引用的，在sql中也是如此，比如'abc'就是个字符串。但是sql中的单引号还有另一个
PreparedStatement防止sql注入的一些疑问? sql
2018-11-08 10:20

回答 1 已采纳 PreparedStatement并不使用字符串拼接来调用参数，所以根本不存在添加单引号一说。再说，添加单引号就不能注入了么？ SELECT * FROM employees WHERE salar
SQLServer 有个字段的值既有单引号又有双引号，如何存储 sql 有问必答
2021-03-16 09:35

回答 5 已采纳 单引号和双引号前面都加上反斜杠就可以
php sql注入 替换,通过替换单引号来防止SQL注入
2021-04-16 15:00

Johann Faust的博客但是，您可以转义引号而不是替换它们。其次，您(就像大多数PHP人员一样)认为替换某些字符会使您的数据安全。虽然不是。每个关心在注射保护领域重新发明轮子的PHP用户总是假设只有字符串被添加到查询中。他们从未明确...
sql注入引号被过滤了怎么注入？ web安全有问必答网络安全
2022-10-31 13:14

回答 4 已采纳拼接上 union select database{}# sql单引号_被过滤了引号的SQL注入如何破？ - 百度文库
php变量及sql注入问题 php
2022-11-17 15:15

回答 2 已采纳我建议你看看我的第一篇博客
hive怎么拼接单引号 hive sql 大数据
2022-08-02 12:01

回答 7 已采纳不能用拼接，拼接之后用不了in，in是判断左边的字段是否在右边内容(集合)中，拼接的是一个字符串整体，不是集合。 SELECT sku_key,warehouse_key,SUM(quantity)
php+sql+单引号保护,SQL注入备忘录
2021-04-24 11:32

weixin_39614262的博客打好补丁 SQL注入绕过：注入中常注意的编码： %01-%0D特殊字符绕空格 &= 在浏览器Url时要进行URL编码 %26 %3d 查询字符串中不允许有空格，可用%20,+对其编码 Cookie注入时，SQL语句中的分号得编码 单引号过滤 ...
sql 插入语句单引号和双引号问题 sql
2015-10-25 12:30

回答 2 已采纳 java拼sql串用双引号，sql语句里用单引号
PHP用双引号替换属性单引号 html php
2013-07-23 19:32

回答 1 已采纳 I realized that PHP's DOMDocument class does this automatically... libxml_use_internal_errors(tr
SQL注入保护 - 单引号[重复] mysql php
2012-10-12 17:10

回答 3 已采纳 Try this input: abc' OR id <> ' it will lead to following statement: "SELECT * FROM `Gam
php防止sql注入的方法详解
2020-12-18 02:24

对用户输入进行过滤，移除或替换可能有害的字符，如单引号（'）、双引号（"）、分号（;）等。PHP的`htmlspecialchars()`函数可用于HTML输出的转义，而`mysqli_real_escape_string()`或`PDO::quote()`可用于SQL查询...
discuz的php防止sql注入函数
2020-10-28 17:31

标题《discuz的php防止sql注入函数》中涉及的PHP安全编程知识点包括了PHP安全编码实践以及如何在Web开发过程中防御SQL注入攻击。SQL注入是数据库安全领域中的一种常见攻击手段，攻击者通过构造恶意的SQL代码片段，...
Sqlite插入单引号和双引号，防止sql注入
2024-04-02 14:25

-凌凌漆-的博客 sqlite3_mprintf替换sprintf, '%q'替换'%s'. 2. 举例修改前代码 //修改前, hello'123写入失败 char sql[1000] char* sql = sprintf("UPDATE table SET name = '%s' WHERE name_id = %d", "hello'123", 1); ...
sql注入原理及php防注入代码.doc
2022-12-02 22:23

SQL注入原理及PHP防注入代码 SQL注入是一种常见的Web应用程序安全漏洞，攻击者可以通过在用户输入中注入恶意SQL代码来...防止SQL注入需要了解SQL注入原理和防止SQL注入的方法，使用防注入函数和代码来防止SQL注入。
mysql注入绕过单引号_SQL注入-绕过过滤规则
2021-01-28 05:08

cedar song的博客过滤规则产生的原因前两篇举例了SQL注入Get请求/SQL注入Post请求的案例，都是因为程序要接收用户输入的变量或者URL传递的参数，并且参数或变量会被组成 SQL语句的一部分被执行。这些数据我们统称为外部数据，在安全...
php防止sql注入的方法
2022-02-24 20:01

zhoupenghui168的博客一、什么是SQL注入式攻击? 所谓SQL注入式攻击，就是攻击者把SQL命令插入到Web表单的输入域或页面请求的查询字符串，欺骗服务器执行恶意的SQL命令。在某些表单中，用户输入的内容直接用来构造(或者影响)动态SQL命令...
没有解决我的问题, 去提问

悬赏问题

¥15 DS18B20内部ADC模数转换器
¥15 做个有关计算的小程序
¥15 MPI读取tif文件无法正常给各进程分配路径
¥15 如何用MATLAB实现以下三个公式（有相互嵌套）
¥30 关于#算法#的问题：运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题求各位帮我解答一下
¥15 setInterval 页面闪烁，怎么解决
¥15 如何让企业微信机器人实现消息汇总整合
¥50 关于#ui#的问题：做yolov8的ui界面出现的问题
¥15 如何用Python爬取各高校教师公开的教育和工作经历
¥15 TLE9879QXA40 电机驱动

通过替换单引号来防止SQL注入

1条回答 默认 最新

悬赏问题

1条回答默认最新