6 回答
Yup. Never rely on black-listing mechanisms like that for safety. It's broken, and can result in some interesting SQL injections:
$query = "SELECT id, title, body FROM posts WHERE id = " . mysql_real_escape_string($_GET['id']);
This can still be injected:
1 OR 1=1
Resulting in:
SELECT id, title, body FROM posts WHERE id = 1 OR 1=1
All results are returned. Not convinced this is bad? Ok...
1 OR 1=1 UNION SELECT id, username, password FROM users
Whoops!
Why is this injectable? The developer just forgot to quote the numeric ID. If you can ever see yourself making this mistake, you should seek a better solution.
My advice? Stop using string concatenation, stop using the deprecated mysql_ functions, and shift to MySQLi or PDO with parameterised queries, where content is explicitly separated from query language.
花引号不需要转义,因为它们对 MySQL 没有特殊意义。
这是因为“智能”引号不会被 MySQL 引擎识别为引号,因此绝对不会造成注入攻击的风险。
正如我所想的那样,事实证明这是一个复杂的问题。
在我的字符串上使用utf8_encode ( http://php.net/manual/en/function.utf8-encode.php ) 后一切正常。
谢谢大家的帮助(尤其是多项式)。