Prevent SQL Injection without MySQLi or PDO
I know that I can use prepared statement to prevent SQL injection. I can do it using MySQLi or PDO. But I have a developed a large CRM using PHP/ MySQL (mysql_query). If I have to change each and every query into PDO or MySQLi, it will take at least a month. The script got more that 500 MySQL query statement.
I really need help in this matter. Can anyone tell me that how to prevent SQL injection not using MySQLi or PDO?
Can anyone tell me that how to prevent SQL injection not using MySQLi or PDO [in an existing application which has over 500 raw MySQL statements]?
Short Answer
No.
Architecturally, your application needs a top-to-bottom rewrite (with regards to its database access structures) to become safe on the web. Going hog-wild with data sanitizers and statement heuristics would be far more dangerous and time-consuming than simply implementing a reliable SQL abstraction layer as part of your revision strategy.
My recommendation is that you at least implement Doctrine . Probably the Doctrine Database Abstraction Layer (DBAL) would be a good start, especially for a port from a legacy database strategy like the one you described; or go a step up with the Doctrine Object Relational Mapper (ORM). Better yet, build your future applications (or application re-builds) using a framework that already includes these database libraries, like Symfony 2 or Silex.
链接地址: http://www.djcxy.com/p/93768.html上一篇: PDO准备的语句正确吗?
下一篇: 防止没有MySQLi或PDO的SQL注入