I have heard that sprintf() protects against SQL injection. Is it t开发者_StackOverflow中文版rue? If so, how?
Why people are recommending to write query like this:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);
sprintf won't protect you! It only replaces the %s
you must mysql_real_escape_string so:
$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));
is safer injection
note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries
That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.
If you want decent protection, use something that provides bound parameters.
Using sprintf might protect against SQL injection for numeric fields:
$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);
By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.
The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.
It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.
However, it can be a practical way to generate output that needs further processing. Please compare:
echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';
echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
htmlspecialchars($name),
htmlspecialchars($place)
);
Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.
Please note that bind parameters use a similar syntax:
// Fictional DB abstraction layer
$sql = 'SELECT foo_id
FROM foo
WHERE name=:name AND status=:status';
$params = array(
'name' => $name,
'status' => $status,
);
$result = $db->run($sql, $params);
That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论