基本的 SQL 注入?
上一个问题告诉我,我的查询很容易受到 SQL 注入。
get_stats = mysql_query("SELECT *
FROM visitors
WHERE site='$_GET[site]'
AND date BETWEEN '$start_date' AND '$end_date' ");
解决这个问题最简单的方法是什么?您有关于注射主题的进一步阅读吗? (我可能会在谷歌上错过一些东西)。谢谢!
I was told in a previous question that my query is prone to SQL injections.
get_stats = mysql_query("SELECT *
FROM visitors
WHERE site='$_GET[site]'
AND date BETWEEN '$start_date' AND '$end_date' ");
What would be the easiest way to approach this problem? And do you have some further reading on the subject of injections? (something that I might miss on Google). Thanks!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
使用准备好的语句。
在大多数情况下,准备好的语句会以安全的方式将查询与参数组合起来。
Use Prepared Statements.
In most cases, Prepared Statements do the job of combining your query with your parameters, in a safe manner.
$_GET['site'] 是直接来自浏览器中的 URL 的值,这意味着用户可以轻松地将此值更改为他们想要的任何值,您应该在将其发送到数据库之前检查/清理该值,实际上所有值。
像这样的事情将是一个开始,仍然可以使用更多的工作,并且有很多方法可以做到这一点,我将创建一个自定义函数/类来轻松地通过站点范围传递所有变量,这可以简单地重复这样的东西
$_GET['site'] is a value that comes straight from the URL in the browser which means a user could easily change this value to anything they want, you should check/sanitize that value, all values actually before sending it to a database.
Something like this would be a start, could still use more work and there is many ways of doing it, I would create a custom function/class to easily pass all variables through sitewide which can simply repetitive stuff like this
mysql_real_escape_string 是最基本、最简单的形式这里的安全。
mysql_real_escape_string is the most basic and easiest form of security here.