doushan2311 2010-05-12 11:06
浏览 13
已采纳

这是在PHP中构建mysql_query的安全方法吗?

I have tried and tried to achieve an SQL injection by making custom queries to the server outside of firefox.

Inside the php, all variables are passed into the query in a string like this.

Note, by this stage, $_POST has not been touched.

mysql_query('INSERT INTO users (password, username) VALUES(' . sha1($_POST['password']) . ',' . $_POST['username'] . '));

Is that a secure way to make a change?

  • 写回答

6条回答 默认 最新

  • dongmiyi8220 2010-05-12 11:07
    关注

    You should definitely escape the username with mysql_real_escape_string.

    Of course the best solution would be to use prepared statements. That way the separation of query syntax and data is made on the mysql API level.

    And, as others pointed out, values should absolutely be surrounded with quotes. Especially the text ones.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(5条)

报告相同问题?

悬赏问题

  • ¥17 pro*C预编译“闪回查询”报错SCN不能识别
  • ¥15 微信会员卡接入微信支付商户号收款
  • ¥15 如何获取烟草零售终端数据
  • ¥15 数学建模招标中位数问题
  • ¥15 phython路径名过长报错 不知道什么问题
  • ¥15 深度学习中模型转换该怎么实现
  • ¥15 HLs设计手写数字识别程序编译通不过
  • ¥15 Stata外部命令安装问题求帮助!
  • ¥15 从键盘随机输入A-H中的一串字符串,用七段数码管方法进行绘制。提交代码及运行截图。
  • ¥15 TYPCE母转母,插入认方向