I am trying to figure out a way to sanitize input going into sqlite from php. I cannot use mysql. Is it enough to simply use sqlite_escape_string or do I need to do anything else? Also I can only use sqlite2.
我试图找出一种方法来清理从php进入sqlite的输入。我不能使用mysql。仅仅使用sqlite_escape_string还是我还需要做其他事情吗?另外我只能使用sqlite2。
5 个解决方案
#1
2
The best way to avoid SQL injection is to enforce the use of parametric queries, and never ever manually assemble SQL statements by string concatenation or variable interpolation.
避免SQL注入的最佳方法是强制使用参数化查询,并且永远不会通过字符串连接或变量插值手动组装SQL语句。
On PHP 5+, you may use PDO, which is a multi-database abstraction layer supporting (among others) SQLite, and parametric queries.
在PHP 5+上,您可以使用PDO,它是一个支持(其中包括)SQLite和参数查询的多数据库抽象层。
#2
1
Escape functions make sure that the special characters (quotes mainly) that are used by the SQL dialect are escaped, so that your inserts/updates etc work. All sqlite_escape_string does is escape single quotes.
转义函数确保转义SQL方言使用的特殊字符(主要是引号),以便您的插入/更新等工作。所有sqlite_escape_string都是单引号转义。
Then there is the substantial concern that someone can craft an SQL injection. Because you're using v2, you can't use the prepare and _bind() functions that would protect you.
然后有人担心有人可以制作SQL注入。因为您使用的是v2,所以不能使用可以保护您的prepare和_bind()函数。
SQLite lets you chain commands seperated by ';' so there is an issue there. I would suggest you start by carefully crafting your parameters using either helper functions you write or using sprintf and insure that you are typing your ints, floats, and strings appropriately.
SQLite允许您链接由';'分隔的命令所以那里有一个问题。我建议你首先使用你编写的helper函数或使用sprintf仔细制作你的参数,并确保你正确地输入你的整数,浮点数和字符串。
You should be able to create your own escape function that "escapes" things you want to watch out for... most specifically the semicolon, using the ... ESCAPE '\' at the end of your queries, assuming you utilize the backslash as your escape character.
您应该能够创建自己的转义函数,以“逃避”您想要注意的事物...最具体的是分号,在查询结束时使用... ESCAPE'\',假设您使用反斜杠作为你的逃脱角色。
Then you have the issue of someone intentionally inserting malicious content (XSS). Grigor provided one solution -- use htmlentities() on your strings.
然后你就会有人故意插入恶意内容(XSS)。 Grigor提供了一个解决方案 - 在字符串上使用htmlentities()。
#3
0
There are ways, but it depends on the target of your input, Please refer to this question to understand it better: What's the best method for sanitizing user input with PHP?
有方法,但这取决于你输入的目标,请参考这个问题来更好地理解它:用PHP消毒用户输入的最佳方法是什么?
#4
0
sqlite_escape_string() should do all the sanitizing you need to input the string. As for outputting it, if it's being outputted into HTML, then use htmlspecialcharts() on it before outputting it.
sqlite_escape_string()应该完成输入字符串所需的所有清理工作。至于输出它,如果它被输出到HTML,那么在输出之前使用htmlspecialcharts()。
#5
0
SQLite offers sqlite_escape_string() for that. It's only available for PHP 5, though.
SQLite为此提供了sqlite_escape_string()。但它仅适用于PHP 5。
Solely relying on these methods will not save you from injections, though. An imperative measure is to always validate user-provided input first, before subjecting it to methods, you have to rely on - but actually haven't authored.
但是,仅仅依靠这些方法并不能避免注射。一个必要的衡量标准是始终首先验证用户提供的输入,然后将其置于方法之前,您必须依赖 - 但实际上还没有创作。
#1
2
The best way to avoid SQL injection is to enforce the use of parametric queries, and never ever manually assemble SQL statements by string concatenation or variable interpolation.
避免SQL注入的最佳方法是强制使用参数化查询,并且永远不会通过字符串连接或变量插值手动组装SQL语句。
On PHP 5+, you may use PDO, which is a multi-database abstraction layer supporting (among others) SQLite, and parametric queries.
在PHP 5+上,您可以使用PDO,它是一个支持(其中包括)SQLite和参数查询的多数据库抽象层。
#2
1
Escape functions make sure that the special characters (quotes mainly) that are used by the SQL dialect are escaped, so that your inserts/updates etc work. All sqlite_escape_string does is escape single quotes.
转义函数确保转义SQL方言使用的特殊字符(主要是引号),以便您的插入/更新等工作。所有sqlite_escape_string都是单引号转义。
Then there is the substantial concern that someone can craft an SQL injection. Because you're using v2, you can't use the prepare and _bind() functions that would protect you.
然后有人担心有人可以制作SQL注入。因为您使用的是v2,所以不能使用可以保护您的prepare和_bind()函数。
SQLite lets you chain commands seperated by ';' so there is an issue there. I would suggest you start by carefully crafting your parameters using either helper functions you write or using sprintf and insure that you are typing your ints, floats, and strings appropriately.
SQLite允许您链接由';'分隔的命令所以那里有一个问题。我建议你首先使用你编写的helper函数或使用sprintf仔细制作你的参数,并确保你正确地输入你的整数,浮点数和字符串。
You should be able to create your own escape function that "escapes" things you want to watch out for... most specifically the semicolon, using the ... ESCAPE '\' at the end of your queries, assuming you utilize the backslash as your escape character.
您应该能够创建自己的转义函数,以“逃避”您想要注意的事物...最具体的是分号,在查询结束时使用... ESCAPE'\',假设您使用反斜杠作为你的逃脱角色。
Then you have the issue of someone intentionally inserting malicious content (XSS). Grigor provided one solution -- use htmlentities() on your strings.
然后你就会有人故意插入恶意内容(XSS)。 Grigor提供了一个解决方案 - 在字符串上使用htmlentities()。
#3
0
There are ways, but it depends on the target of your input, Please refer to this question to understand it better: What's the best method for sanitizing user input with PHP?
有方法,但这取决于你输入的目标,请参考这个问题来更好地理解它:用PHP消毒用户输入的最佳方法是什么?
#4
0
sqlite_escape_string() should do all the sanitizing you need to input the string. As for outputting it, if it's being outputted into HTML, then use htmlspecialcharts() on it before outputting it.
sqlite_escape_string()应该完成输入字符串所需的所有清理工作。至于输出它,如果它被输出到HTML,那么在输出之前使用htmlspecialcharts()。
#5
0
SQLite offers sqlite_escape_string() for that. It's only available for PHP 5, though.
SQLite为此提供了sqlite_escape_string()。但它仅适用于PHP 5。
Solely relying on these methods will not save you from injections, though. An imperative measure is to always validate user-provided input first, before subjecting it to methods, you have to rely on - but actually haven't authored.
但是,仅仅依靠这些方法并不能避免注射。一个必要的衡量标准是始终首先验证用户提供的输入,然后将其置于方法之前,您必须依赖 - 但实际上还没有创作。