开发者

How does sprintf() protect against SQL injection?

问答 作者:

I have heard that sprintf() protects against SQL injection. Is it t开发者_StackOverflow中文版rue? If so, how?

Why people are recommending to write query like this:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);

sprintf won't protect you! It only replaces the %s

you must mysql_real_escape_string so:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));

is safer injection

note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries

That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.

If you want decent protection, use something that provides bound parameters.

Using sprintf might protect against SQL injection for numeric fields:

$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);

By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.

The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.

It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.

However, it can be a practical way to generate output that needs further processing. Please compare:

echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';

echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
    htmlspecialchars($name),
    htmlspecialchars($place)
);

Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.

Please note that bind parameters use a similar syntax:

// Fictional DB abstraction layer
$sql = 'SELECT foo_id
    FROM foo
    WHERE name=:name AND status=:status';
$params = array(
    'name' => $name,
    'status' => $status,
);
$result = $db->run($sql, $params);

That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.

继续阅读:phpsql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9