课程: PHP with MySQL Essential Training: 1 The Basics

今天就学习课程吧!

今天就开通帐号,24,700 门业界名师课程任您挑!

Sanitize data for SQL

Sanitize data for SQL

课程: PHP with MySQL Essential Training: 1 The Basics

开始一个月试用 购买团队方案

Sanitize data for SQL

- [Instructor] In the last movie, we learned about SQL injection, and we saw just how bad it can be. In this movie, we're going to learn what we can do about it. If you think about it, breaking the syntax of SQL is similar to how we solve if we could break the syntax of a URL or HTML for cross-site scripting. And the solution here is similar to what it was for both of those. We need to convert characters, which have special meaning, to the SQL into data. We need to escape the string that is transformant, so that any characters that have meaning and power are rendered harmless. In simple terms, the solution is to add a backslash before all single quotes in the string. That's how we escape them for SQL. So for example, if we had a subject whose menu name was David's story, we'd put a backslash in front of the single quote. And now SQL would no longer think that it was a special control character in SQL, indicating the end of the value. It would see it as just simply being data. It's…

内容