正如标题所述,我该如何判断mysql_real_escape_string是否正常工作,而无需等待被黑客攻击?
检查从中获取的值。
向其发送应该进行转义的文本,例如Ed O'Neil
(应返回为Ed O''Neil
或Ed O\'Neil
)
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
$user = "Ed O'Neil";
$password = "SQL_INJECTION ';'alter table xyz';";
// Query
$query_safe= sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
// Query
$query_not_safe= sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
$user,
$password);
echo $query_safe."\n";
echo $query_not_safe;
?>
$dbh = new PDO([...]);
$sth = $dbh->prepare("SELECT foo FROM bar WHERE baz=:baz");
$sth->execute(array(":baz" => $mybaz));
这是最安全的方式,而且由于PDO的存在,它几乎和Perl一样容易。