How can mysqli

2018-07-03 12:57:11

This question already has an answer here:

SQL injection that gets around mysql_real_escape_string() 4 answers

As long as you are using mysqli_set_charset() to set client encoding, and mysqli_real_escape_string() is used to format strings only , it is perfectly safe.

However, if your question implied using this function right in the application code, instead of behind-the-scenes processing of placeholder-based query or at least in the form of PDO's quote() -like function (which does escaping and quoting at once) it is straight way to injection.

It is not function itself being a problem, but the way it is used:

as it does only part of required formatting, one can easily forget another part and slip into trouble

or even it can be easily misused, to format not a string but another literal which will no benefit from escaping at all.

second, when it's used right in the application code, it is usage become inconsistent or occasional, as there is no way to force a developer to format every literal properly and without fail. This again may lead to inaccuracy and injection.

That's why you have to always use a placeholder to represent data in the query (while mysqli_real_escape_string can be used to process this placeholder all right)

链接地址: http://www.djcxy.com/p/93444.html

上一篇: 是mysql

下一篇: 如何可以mysqli