問題描述

我看過很多關于 mysqli 的文章和問題，他們都聲稱它可以防止 sql 注入.但它是萬無一失的，還是有辦法繞過它.我對跨站腳本或網絡釣魚攻擊不感興趣，只對 sql 注入感興趣.

I've seen lots of articles and questions about mysqli, and all of them claim that it protects against sql injections. But is it fool proof, or is there still some way to get around it. I'm not interested in cross site scripting or phishing attacks, only sql injections.

我應該首先說的是我使用的是準備好的語句.這就是我對 mysqli 的意思.如果我使用沒有任何字符串連接的準備好的語句，那么它是萬無一失的嗎?

What I should have said to begin with is that I am using prepared statements. That is what I meant with mysqli. If I use prepared statements without any string concatenation, then is it foolproof?

推薦答案

但它是萬無一失的，還是有辦法繞過它.

But is it fool proof, or is there still some way to get around it.

不，你必須知道你在做什么.如果您使用綁定參數(MySqli 附帶的一項功能)，您就可以完全避免注入類型的攻擊來自這個攻擊向量.這不會阻止您 - 程序員 - 直接嵌入字符串，從而啟用注入攻擊.您必須按預期使用該功能.

No, you have to know what you're doing. If you use bound parameters (A feature that MySqli comes with), you are completely safe from injection type attacks from this attack vector. This doesn't prevent you - the programmer - from embedding strings directly, and thereby enabling injection attacks. You have to use the feature as intended.

我應該首先說的是我使用的是準備好的語句.這就是我對 mysqli 的意思.如果我使用沒有任何字符串連接的準備好的語句，那么它是萬無一失的嗎?

What I should have said to begin with is that I am using prepared statements. That is what I meant with mysqli. If I use prepared statements without any string concatenation, then is it foolproof?

萬無一失仍然是一個如此危險的詞.但是對于通過準備好的語句綁定的變量，您可以避免注入攻擊.這是因為綁定參數與 SQL 查詢分開傳輸.與傳統"嵌入字符串方法，數據庫服務器需要解析輸入，其中有很多邊緣情況(字符集等).當數據和查詢分開發送時，沒有實際的解析進行(至少沒有解析變量數據).

Foolproof is still such a dangerous word. But you are safe from injection attacks for the variables that are bound through prepared statements. This is because bound parameters are transmitted separately from the SQL query. With the "traditional" embed-string approach, the database server needs to parse the input and there are lots of edge cases in that (Charsets etc.). When the data and the query are sent separate, there is no actual parsing going on (At least not parsing of the variable data).

這篇關于PHP 中的 mysqli 類是否可以 100% 保護 sql 注入?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！