Prevent SQL Injection without MySQLi or PDO

I know that I can use prepared statement to prevent SQL injection. I can do it using MySQLi or PDO. But I have a developed a large CRM using PHP/ MySQL (mysql_query). If I have to change each and every query into PDO or MySQLi, it will take at least a month. The script got more that 500 MySQL query statement.

I really need help in this matter. Can anyone tell me that how to prevent SQL injection not using MySQLi or PDO?

---

Can anyone tell me that how to prevent SQL injection not using MySQLi or PDO [in an existing application which has over 500 raw MySQL statements]?

Short Answer

No.

Architecturally, your application needs a top-to-bottom rewrite (with regards to its database access structures) to become safe on the web. Going hog-wild with data sanitizers and statement heuristics would be far more dangerous and time-consuming than simply implementing a reliable SQL abstraction layer as part of your revision strategy.

My recommendation is that you at least implement Doctrine . Probably the Doctrine Database Abstraction Layer (DBAL) would be a good start, especially for a port from a legacy database strategy like the one you described; or go a step up with the Doctrine Object Relational Mapper (ORM). Better yet, build your future applications (or application re-builds) using a framework that already includes these database libraries, like Symfony 2 or Silex.

链接地址: http://www.djcxy.com/p/93768.html

上一篇: PDO准备的语句正确吗？

下一篇: 防止没有MySQLi或PDO的SQL注入