PHPÖеÄmysql_real_escape_stringº¯Êý
¸ù¾ÝÄãµÄʹÓÃÄ¿µÄÎÒ¾õµÃÕâ¸öº¯ÊýÓÐÁ½·½ÃæµÄÓÃ;£º
·ÀÖ¹SQL Injection¹¥»÷£¬Ò²¾ÍÊÇÄã±ØÐëÑéÖ¤Óû§µÄÊäÈë
²Ù×÷Êý¾ÝµÄʱºò±ÜÃâ²»±ØÒªµÄ×Ö·ûµ¼Ö´íÎó
mysql_real_escape_string() º¯ÊýתÒå SQL Óï¾äÖÐʹÓõÄ×Ö·û´®ÖеÄÌØÊâ×Ö·û¡£
ÏÂÁÐ×Ö·ûÊÜÓ°Ï죺
\x00
\n
\r
\
'
"
\x1a
Èç¹û³É¹¦£¬Ôò¸Ãº¯Êý·µ»Ø±»×ªÒåµÄ×Ö·û´®¡£Èç¹ûʧ°Ü£¬Ôò·µ»Ø false¡£
¹¥»÷µÄÀý×Ó£Û1£Ý
Àý×Ó 1
<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// »ñµÃÓû§ÃûºÍÃÜÂëµÄ´úÂë
// תÒåÓû§ÃûºÍÃÜÂ룬ÒÔ±ãÔÚ SQL ÖÐʹÓÃ
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * from users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// ¸ü¶à´úÂë
mysql_close($con);
?>
Àý×Ó 2
Êý¾Ý¿â¹¥»÷¡£±¾ÀýÑÝʾÈç¹ûÎÒÃDz»¶ÔÓû§ÃûºÍÃÜÂëÓ¦Óà mysql_real_escape_string() º¯Êý»á·¢Éúʲô£º
<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * from users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
// ²»¼ì²éÓû§ÃûºÍÃÜÂë
// ¿ÉÒÔÊÇÓû§ÊäÈëµÄÈκÎÄÚÈÝ£¬±ÈÈ磺
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
// һЩ´úÂë...
mysql_close($con);
?>
ÄÇô SQL ²éѯ»á³ÉΪÕâÑù£º
SELECT * from users WHERE user='john' AND password='' OR ''=''
ÕâÒâζ×ÅÈκÎÓû§ÎÞÐèÊäÈëºÏ·¨µÄÃÜÂë¼´¿ÉµÇ½¡£
Àý×Ó 3
Ô¤·ÀÊý¾Ý¿â¹¥»÷µÄÕýÈ·×ö·¨£º
<?php
function check_input($value)
{
// È¥³ýб¸Ü
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Èç¹û²»ÊÇÊý×ÖÔò¼ÓÒýºÅ
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// ½øÐа²È«µÄ
Ïà¹ØÎĵµ£º
1.²é¿´µµ°¸
mysql> show binary logs;
+----------------+-----------+
| Log_name | File_size |
+----------------+-----------+
| ablelee.000001 | 150462942 |
| ablelee.000002 | 125 |
| ablelee.000003 | 106 |
+----------------+-----------+
2.ɾ³ýbin-log(ɾ³ýablelee.000003֮ǰµÄ¶øûÓаüº¬ablel ......
1£º ASCII(str) ¡¡·µ»Ø×Ö·û´®strµÄµÚÒ»¸ö×Ö·ûµÄASCIIÖµ(strÊÇ¿Õ´®Ê±·µ»Ø0) mysql> select ASCII('2'); ¡¡¡¡-> 50 mysql> select ASCII(2); ¡¡¡¡-> 50 mysql> select ASCII('dete'); ¡¡¡¡-> 100
2£ºORD(str) ¡¡Èç¹û×Ö·û´®str¾äÊ×Êǵ¥×Ö½Ú·µ»ØÓëASCII()º¯Êý·µ»ØµÄÏàֵͬ¡£¡¡Èç¹ûÊÇÒ»¸ö¶à×Ö½Ú×Ö·û,ÒÔ¸ñʽ·µ ......
1¡¢Ñ¡È¡×îÊÊÓõÄ×Ö¶ÎÊôÐÔ
¡¡¡¡MySQL¿ÉÒԺܺõÄÖ§³Ö´óÊý¾ÝÁ¿µÄ´æÈ¡£¬µ«ÊÇÒ»°ã˵À´£¬Êý¾Ý¿âÖеıíԽС£¬ÔÚËüÉÏÃæÖ´ÐеIJéѯҲ¾Í»áÔ½¿ì¡£Òò´Ë£¬ÔÚ´´½¨±íµÄʱºò£¬ÎªÁË»ñµÃ¸üºÃµÄÐÔÄÜ£¬ÎÒÃÇ¿ÉÒÔ½«±íÖÐ×ֶεĿí¶ÈÉèµÃ¾¡¿ÉÄÜС¡£ÀýÈ磬ÔÚ¶¨ÒåÓÊÕþ±àÂëÕâ¸ö×Ö¶Îʱ£¬Èç¹û½«ÆäÉèÖÃΪCHAR(255),ÏÔÈ»¸øÊý¾Ý¿âÔö¼ÓÁ˲»±ØÒªµÄ¿Õ¼ä£¬ÉõÖÁÊ ......
MYSQL4.1¼°¸ü¸ß°æ±¾Ö§³Ö·þÎñÆ÷¶Ë×¼±¸Óï¾ä(Prepared Statements), ËüʹÓÃÔöÇ¿µÄ¶þ½øÖÆ¿Í»§¶Ë/·þÎñÆ÷ÐÒéÔÚ¿Í»§¶ËºÍ·þÎñÆ÷Ö®¼ä¸ßЧµÄ·¢ËÍÊý¾Ý£¬¿ÉÒÔͨ¹ýÖ§³ÖÕâÖÖÐÐÐÒéµÄ±à³Ì¿âÀ´·ÃÎÊ×¼±¸Óï¾ä£¬ÁÐÈëMYSQL CAPI,MYSQL Connector/JºÍMYSQL Connector/NET ΪJAVAºÍ.NETÌṩÁËͬÑùµÄ·ÃÎʽӿڡ£ËüÒ²ÓÐSQLÓïÑԵķÃÎʽӿڡ£
´´½¨×¼ ......