PHP 包含数字
如果我像这样构建页面,我是否必须检查 news_id 在 news.php 中是否也是数字? 或者这样安全吗?
index.php:
if (ctype_digit($_GET['news_id'])) include('news.php');
news.php:
$query = mysql_query("SELECT * FROM news WHERE news_id = $_GET[news_id]");
$row = mysql_fetch_assoc($query);
if (!mysql_num_rows($query)) exit('The news you're trying to read do not exist.');
If I build my pages like this do I have to check if news_id is numeric in news.php too? Or is this safe?
index.php:
if (ctype_digit($_GET['news_id'])) include('news.php');
news.php:
$query = mysql_query("SELECT * FROM news WHERE news_id = $_GET[news_id]");
$row = mysql_fetch_assoc($query);
if (!mysql_num_rows($query)) exit('The news you're trying to read do not exist.');
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
其他答案是绝对正确的,您不应该允许任何用户直接输入到您的数据库或任何其他敏感区域。
您应该验证/清理来自 $_GET、$_POST 等的所有输入...您可以使用 PHP 内置的过滤器函数 或者使用 Cake PHP 或 Symphony 等框架中内置的框架,这两者都使处理用户数据变得更加容易。
jonstjohn 有一个很好的观点,即您可以通过这种方式让自己处于开放的 SQL 注入状态,而其他形式的攻击则基于将恶意代码输入到您的应用程序中。
值得一读 Jeff Atwood 的 25 个最危险的编程错误关于这些问题以及其他问题的一些背景知识。
The other answers are absolutely correct, you should never allow any user input directly into your database, or any other sensitive area.
You should validate/sanitize all input from $_GET, $_POST etc... You can use PHP’s built in filter functions or use those built into a framework such as Cake PHP or Symphony, which both make handling user data a lot easier.
jonstjohn has a good point you are leaving yourself open sql injection this way, and other forms of attack based around feeding malicious code into you application.
Worth reading Jeff Atwood’s 25 most dangerous programming mistakes for a bit of background on these issues, and others besides.
简短的回答:是的,你应该这样做。
有人可能(并且将会)绕过index.php请求news.php。
Short answer: Yes, you should.
Someone might (and will) request news.php, bypassing index.php.
在将数据发送到 MySQL 之前,您确实应该转义数据并对其进行清理。 不能保证有人不会尝试通过帖子数据发送恶意内容。
You really should escape your data and sanitize it before sending it into MySQL. No guarantee someone won't try to send something malicious in through the post data.