这是我的代码:
$email= MysqLi_real_escape_string($db_con,$_POST['email']); $psw= MysqLi_real_escape_string($db_con,$_POST['psw']); $query = "INSERT INTO `users` (`email`,`psw`) VALUES ('".$email."','".$psw."')";
解决方法
Could someone tell me if it is secure or if it is vulnerable to the sql Injection attack or other sql attacks ?
正如uri2x所说,见SQL injection that gets around mysql_real_escape_string()
.
The best way to prevent SQL injection is to use prepared statements.它们将数据(您的参数)与指令(SQL查询字符串)分开,并且不会为数据留下任何污染查询结构的空间.准备好的声明解决了fundamental problems of application security之一.
对于无法使用预准备语句(例如LIMIT)的情况,为每个特定目的使用非常严格的白名单是保证安全性的唯一方法.
// This is a string literal whitelist switch ($sortby) { case 'column_b': case 'col_c': // If it literally matches here,it's safe to use break; default: $sortby = 'rowid'; } // Only numeric characters will pass through this part of the code thanks to type casting $start = (int) $start; $howmany = (int) $howmany; if ($start < 0) { $start = 0; } if ($howmany < 1) { $howmany = 1; } // The actual query execution $stmt = $db->prepare( "SELECT * FROM table WHERE col = ? ORDER BY {$sortby} ASC LIMIT {$start},{$howmany}" ); $stmt->execute(['value']); $data = $stmt->fetchAll(PDO::FETCH_ASSOC);
我认为上面的代码不受sql注入的影响,即使在不起眼的边缘情况下也是如此.如果你正在使用MysqL,请确保你转动模拟准备.
$db->setAttribute(\PDO::ATTR_EMULATE_PREPARES,false);
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。