dongta1824 2012-11-06 08:49
浏览 56
已采纳

如果PDO和mysqli不可用,使用mysql_ *函数是否安全?

I have a website hosted on a shared hosting. They have php 5.2.13 installed.

I know the vulnerabilities of SQL Injection and I want to prevent it.

So I want to use PDO or mysqli for preventing it.

But the problem when I used phpinfo(); to view the hosting environment php setup info,
I found that there was no mysql driver for PDO and there was no support for mysqli in it.

So I wanted to know whether it will be safe to use that old mysql_* functions( along with functions like mysql_real_escape_string).

I looked at this one on SO but it wasn't much helpful to me. Prepared statements possible when mysqli and PDO are not available?

UPDATE:

I forgot to mention that most of the queries will be simple. There are no forms used so no user input will be used to make a query. All the queries will be hard coded with necessary parameters and they will not be changed once set.

  • 写回答

3条回答 默认 最新

  • dpl22899 2012-11-06 08:57
    关注

    If you're really rigorous about always using mysql_real_escape_string() with all user-supplied input then I think you should be safe from any SQL injection that prepared statements protects you from.

    How perfect are you at this? I'll bet most of the buffer overflow vulnerabilities were created by programmers who thought they were good at checking inputs....

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 基于双目测规则物体尺寸
  • ¥15 wegame打不开英雄联盟
  • ¥15 公司的电脑,win10系统自带远程协助,访问家里个人电脑,提示出现内部错误,各种常规的设置都已经尝试,感觉公司对此功能进行了限制(我们是集团公司)
  • ¥15 救!ENVI5.6深度学习初始化模型报错怎么办?
  • ¥30 eclipse开启服务后,网页无法打开
  • ¥30 雷达辐射源信号参考模型
  • ¥15 html+css+js如何实现这样子的效果?
  • ¥15 STM32单片机自主设计
  • ¥15 如何在node.js中或者java中给wav格式的音频编码成sil格式呢
  • ¥15 不小心不正规的开发公司导致不给我们y码,