当前位置: 文江博客话题详情

PHP 保护查询免受 mysql 注入。

发布于 2024-09-16 05:24:38 字数 638 浏览 10 评论 0原文

如何将 mysql_real_escape_string() 添加到此:::

$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', 
                      firstname='$firstname', lastname='$lastname', email='$email', 
                      active='No', activecode='$activecode', dateofbirth='$dateofbirth', 
                      gender='$gender', title='$title', occupation='$occupation', 
                      address='$address', city='$city', country='$country', zip='$zip',
                      mobile='$mobile', telephone='$telephone', fax='$fax', 
                      website='$website'
                     ");
原文

How can I add mysql_real_escape_string() to this:::

$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', 
                      firstname='$firstname', lastname='$lastname', email='$email', 
                      active='No', activecode='$activecode', dateofbirth='$dateofbirth', 
                      gender='$gender', title='$title', occupation='$occupation', 
                      address='$address', city='$city', country='$country', zip='$zip',
                      mobile='$mobile', telephone='$telephone', fax='$fax', 
                      website='$website'
                     ");

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

丘比特射中我 2024-09-23 05:24:38
$result = mysql_send("  INSERT  customers
                        SET     user='".mysql_real_escape_string($username)."', 
                                pword='".mysql_real_escape_string($pass1)."', 
                                firstname='".mysql_real_escape_string($firstname)."', 
                                lastname='".mysql_real_escape_string($lastname)."', 
                                email='".mysql_real_escape_string($email)."', 
                                active='No', 
                                activecode='".mysql_real_escape_string($activecode)."', 
                                dateofbirth='".mysql_real_escape_string($dateofbirth)."', 
                                gender='".mysql_real_escape_string($gender)."', 
                                title='".mysql_real_escape_string($title)."', 
                                occupation='".mysql_real_escape_string($occupation)."', 
                                address='".mysql_real_escape_string($address)."', 
                                city='".mysql_real_escape_string($city)."', 
                                country='".mysql_real_escape_string($country)."', 
                                zip='".mysql_real_escape_string($zip)."', 
                                mobile='".mysql_real_escape_string($mobile)."', 
                                telephone='".mysql_real_escape_string($telephone)."', 
                                fax='".mysql_real_escape_string($fax)."', 
                                website='".mysql_real_escape_string($website)."'
                    ");

$result = mysql_send("  INSERT  customers
                        SET     user='".mysql_real_escape_string($username)."', 
                                pword='".mysql_real_escape_string($pass1)."', 
                                firstname='".mysql_real_escape_string($firstname)."', 
                                lastname='".mysql_real_escape_string($lastname)."', 
                                email='".mysql_real_escape_string($email)."', 
                                active='No', 
                                activecode='".mysql_real_escape_string($activecode)."', 
                                dateofbirth='".mysql_real_escape_string($dateofbirth)."', 
                                gender='".mysql_real_escape_string($gender)."', 
                                title='".mysql_real_escape_string($title)."', 
                                occupation='".mysql_real_escape_string($occupation)."', 
                                address='".mysql_real_escape_string($address)."', 
                                city='".mysql_real_escape_string($city)."', 
                                country='".mysql_real_escape_string($country)."', 
                                zip='".mysql_real_escape_string($zip)."', 
                                mobile='".mysql_real_escape_string($mobile)."', 
                                telephone='".mysql_real_escape_string($telephone)."', 
                                fax='".mysql_real_escape_string($fax)."', 
                                website='".mysql_real_escape_string($website)."'
                    ");
回复 原文
等风来 2024-09-23 05:24:38

我这样做(假设 HTML 表单的字段名称与数据库字段名称完全匹配):

$fields = explode(" ","user pword firstname lastname email ative activecode dateofbirth gender title occupation address city country zip mobile telephone fax website");

$_POST['active'] = "Mo"; // I know it's kinda dirty but it works. 
$sql = "INSERT INTO customers SET ".makeDdbSet($fields);

function makeDdbSet($fields) {
  $q='';
  foreach ($fields as $v) $q.="`$v` = '".mysql_real_escape_string($_POST[$v])."', ";
  return trim($q,", ");
}

对我来说看起来很整洁。

I make it this way (assuming HTML form's field names exactly match a database field name):

$fields = explode(" ","user pword firstname lastname email ative activecode dateofbirth gender title occupation address city country zip mobile telephone fax website");

$_POST['active'] = "Mo"; // I know it's kinda dirty but it works. 
$sql = "INSERT INTO customers SET ".makeDdbSet($fields);

function makeDdbSet($fields) {
  $q='';
  foreach ($fields as $v) $q.="`$v` = '".mysql_real_escape_string($_POST[$v])."', ";
  return trim($q,", ");
}

looks neat to me.

回复 原文
萌吟 2024-09-23 05:24:38

也许你可以花一些时间看看 Doctrine ORM。

保存到数据库将如下所示:

$customer = new Customer();
$customer->fromArray($data); // $data = array("firstname"=>"John", ...)
$customer->save();

一切都将被转义,您的程序也将更具可读性......

Maybe you can take some time and check out Doctrine ORM.

Saving to database would then look like:

$customer = new Customer();
$customer->fromArray($data); // $data = array("firstname"=>"John", ...)
$customer->save();

Everything will be escaped, your program will also be more readable ...

回复 原文
骄兵必败 2024-09-23 05:24:38

逃跑是相当老套的事情。相反,使用准备好的语句来分隔查询和数据。

这可以为您节省很多的麻烦。

$sql = "INSERT customers SET user=:user, pword = :pword .....";
$sth = $dbh->prepare($sql);
$sth->execute(array('user => $username, 'pword' => $password));

根据获取数据的位置,您也可以直接将其放入数组中。

例如,如果您从表单中获取大量数据,变量名称为 pword、user 等,您可以直接使用该数组

$sth->execute($_POST);

Escaping is quite old-school. Instead, use prepared statements to separate queries and data.

This saves you lots of headaches.

$sql = "INSERT customers SET user=:user, pword = :pword .....";
$sth = $dbh->prepare($sql);
$sth->execute(array('user => $username, 'pword' => $password));

Depending on where you get the data from, you might also directly have it in an array.

For example, in case you get a lot of data from a form, with the variable names pword, user and so on you can directly use that array

$sth->execute($_POST);
回复 原文
请爱~陌生人 2024-09-23 05:24:38
$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', firstname='".mysql_real_escape_string($firstname)."', lastname='".mysql_real_escape_string($lastname)."', email='".mysql_real_escape_string($email)."', active='No', activecode='".mysql_real_escape_string($activecode)."', dateofbirth='".mysql_real_escape_string($dateofbirth)."', gender='".mysql_real_escape_string($gender)."', title='".mysql_real_escape_string($title)."', occupation='".mysql_real_escape_string($occupation)."', address='".mysql_real_escape_string($address)."', city='".mysql_real_escape_string($city)."', country='".mysql_real_escape_string($country)."', zip='".mysql_real_escape_string($zip)."', mobile='".mysql_real_escape_string($mobile)."', telephone='".mysql_real_escape_string($telephone)."', fax='".mysql_real_escape_string($fax)."', website='".mysql_real_escape_string($website)."'");

$result = mysql_send("INSERT customers SET user='$username', pword='$pass1', firstname='".mysql_real_escape_string($firstname)."', lastname='".mysql_real_escape_string($lastname)."', email='".mysql_real_escape_string($email)."', active='No', activecode='".mysql_real_escape_string($activecode)."', dateofbirth='".mysql_real_escape_string($dateofbirth)."', gender='".mysql_real_escape_string($gender)."', title='".mysql_real_escape_string($title)."', occupation='".mysql_real_escape_string($occupation)."', address='".mysql_real_escape_string($address)."', city='".mysql_real_escape_string($city)."', country='".mysql_real_escape_string($country)."', zip='".mysql_real_escape_string($zip)."', mobile='".mysql_real_escape_string($mobile)."', telephone='".mysql_real_escape_string($telephone)."', fax='".mysql_real_escape_string($fax)."', website='".mysql_real_escape_string($website)."'");
回复 原文
~没有更多了~

关于作者

独孤求败

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lixs

文章 0 评论 0

敷衍 

文章 0 评论 0

盗梦空间

文章 0 评论 0

tian

文章 0 评论 0

13375331123

文章 0 评论 0

你对谁都笑

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文