开发者

Is urlencode() good enough to stop all SQL injection attacks in the year 2011

开发者 https://www.devze.com 2023-02-10 06:42 出处:网络
I\'m passing some simple user data into a mysql database. PHP\'s urlencode() Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed b

I'm passing some simple user data into a mysql database.

PHP's urlencode() Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits.

I'm not worried about the spaces turning into plus's, or other formatting issues. Neither am I worried about XSS and other HTML hacks.

I believe I should be safe from ' and ) styl开发者_如何转开发e attacks.

QUESTION: Are there other kinds of sql attacks that could be used with - or _ or . ?

EXAMPLE:

mysql_query("UPDATE cars SET color = '".urlencode($c)."' WHERE garage = 29");

Thankyou in advance


urlencode() has nothing to do with SQL, so it does as much to prevent SQL injection as kerosene does to make your burgers more delicious. Besides, everything that enters your database will end up URL encoded, which you then have to decode if you want to do anything useful with them after retrieving the database.

Escaping your queries, on the other hand, helps your application to guard against SQL injection, and nothing more. It does not modify the data you enter into your queries; it only protects your queries from being tampered with. That's the idea of SQL injection, and it's also why URL encoding your data doesn't do anything to protect against it. Granted, it does turn your apostrophes ' into %27, rendering them harmless, but as mentioned in the above paragraph, you'll have to URL decode them back into apostrophes in order to use them.

Use the right tool for the right purpose. Especially in the year 2011, you should be using prepared statements instead of manually escaping your query variables and concatenating strings to form queries.


No. It is actually dangerous to use url encoding for SQL injection protection.

  1. URL encoding is percent encoding. And % chars in SQL have special meaning in many databases. Example: LIKE clauses. Allowing % chars in dynamic SQL will still lead to problems.
  2. There is a risk that intermediate (web) servers might automatically url decode. Apache might do this.


I don't think that urlencode alone will be good enough to stop sql injection. You will have to use atleast mysql_real_escape_string or prepared statements from PDO..


Use PDO and paramaterized queries.

0

精彩评论

暂无评论...
验证码 换一张
取 消