How does sprintf() protect against SQL injection?

2020-02-29 03:44发布

问题:

I have heard that sprintf() protects against SQL injection. Is it true? If so, how?

Why people are recommending to write query like this:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = %s AND COL2 = %s',$col1,$col2);

回答1:

sprintf won't protect you! It only replaces the %s

you must mysql_real_escape_string so:

$sql = sprintf('SELECT * FROM TABLE WHERE COL1 = "%s" AND COL2 = "%s"',
mysql_real_escape_string($col1),
mysql_real_escape_string($col2));

is safer injection

note: I suggest you take a look at PDO, it is what I like to use for DBconections and queries



回答2:

That doesn't do any protection. Using sprintf makes for more readable code then dropping in and out of a string to run mysql_real_escape_string over each of the variables … but that example doesn't escape the variables at the end so that advantage is lost.

If you want decent protection, use something that provides bound parameters.



回答3:

Using sprintf might protect against SQL injection for numeric fields:

$sql = sprintf("SELECT * FROM table WHERE col1 = %i", $col1);

By using sprintf in this way, you can be sure that $col1 will be converted to an integer--although it might generate an error or warning, if it's not truly an integer.

The proper way to protect against SQL injection is to check all of your input values, and do escaping. But that's much more thoroughly covered in other questions, so I'm not going to go into detail here.



回答4:

It obviously doesn't and if you've actually read that in a book or tutorial you should automatically discard it for future reference.

However, it can be a practical way to generate output that needs further processing. Please compare:

echo '<p>Hello, <strong></strong>' . htmlspecialchars($name) . ', welcome to ' . htmlspecialchars($place). '</p>';

echo sprintf('<p>Hello, <strong>%s</strong>, welcome to %s</p>',
    htmlspecialchars($name),
    htmlspecialchars($place)
);

Same applies to other kind of output, such as SQL code, but of course you still need to do something to input in order to make it safe: sprintf() is just a regular string function that's unaware of SQL and databases.

Please note that bind parameters use a similar syntax:

// Fictional DB abstraction layer
$sql = 'SELECT foo_id
    FROM foo
    WHERE name=:name AND status=:status';
$params = array(
    'name' => $name,
    'status' => $status,
);
$result = $db->run($sql, $params);

That's why I particularly find easier to use those DB libraries that provide this syntax, such as PDO.