doukuiqian5345 2016-09-27 18:07
浏览 67
已采纳

PHP和PostgreSQL:避免跨站点脚本和SQL注入攻击

When inserting data into a PostgreSQL database through PHP, should I embed the data in a sql INSERT statement within the function pg_query, or would it be more secure to pass the data through an array into the pg_insert function?

My guess would be pg_insert since it's just inserting the data directly into the table rather than querying the table and then inserting it.

Please visit http://php.net/manual/en/book.pgsql.php for reference to these 2 functions.

  • 写回答

1条回答 默认 最新

  • dongyi7513 2016-09-27 19:57
    关注

    To avoid SQL injection, you want to call methods that accepts SQL parameters as method parameters. That way, your SQL library can make sure that the parameters are properly escaped. Never build your own SQL-statements by "appending" string-fragments. If you do, you are responsible for SQL-escaping the parameters. This is hard to get right.

    Therefore, you should prefer pg_query_params (or pg_insert) over pg_query.

    This is wrong (because you must remember to escape the $arg1-parameter. Which is hard.):

    pg_query("INSERT INTO TABLE ... VALUES " . $arg1 . ";");
    

    Right (because the smart guys at PostgresQL know how to escape your parameter):

    pg_query_params("INSERT INTO TABLE ... VALUES $1", "FooBar");
    
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 设计一个二极管稳压值检测电路
  • ¥15 内网办公电脑进行向日葵
  • ¥15 如何输入双曲线的参数a然后画出双曲线?我输入处理函数加上后就没有用了,不知道怎么回事去掉后双曲线可以画出来
  • ¥50 WPF Lidgren.Network.Core2连接问题
  • ¥15 soildworks装配体的尺寸问题
  • ¥100 有偿寻云闪付SDK转URL技术
  • ¥30 基于信创PC发布的QT应用如何跨用户启动后输入中文
  • ¥20 非root手机,如何精准控制手机流量消耗的大小,如20M
  • ¥15 远程安装一下vasp
  • ¥15 自己做的代码上传图片时,报错