Effectiveness of stripslashes against SQL Injection?

2018-07-03 15:06:18

Possible Duplicate:
Best way to defend against mysql injection and cross site scripting
How to include a PHP variable inside a mysql insert statement

I was wondering if anyone had came across the stripslashes statement when getting text from a password field, and if there is any way to do an SQL injection when this is the case?

ie in the PHP language you can get text from a password field of a website and pass it through the stripslashes statement to remove any (') so ( ' OR 1=1 -- ) becomes ( OR 1=1 ). And makes SQL injections hard to do.

stripslashes removes slashes ( ), which are escape characters, from data, not quotes ( ' ). If anything, it's use will increase the likelihood of an SQL injection vulnerability existing.

To defend against SQL injection use prepared statements and parameterized queries.

stripslashes should not be used for password. Because it might be stripping slashes which users have input intentionally. To prevent sql injection escape according to the rdbms you are using. This will make sure you enter the exact same string user has inputted but escaped so sql injection will not occur.

For mysql use mysql_real_escape_string

Another better option is to use prepared statement. Its available in all the recent database drivers of PHP. The generic algorithm is

Prepare a statement. Usually by prepare function

Bind the values. usually by bind function.

execute the statement. Usually exec function.

链接地址: http://www.djcxy.com/p/93690.html

上一篇: 用stmt和mysqli插入数据库

下一篇: 基于SQL注入的反锯齿效果？