如何在 CAKEphp 中阻止 sql 注入

发布于 2024-10-01 09:44:31 字数 66 浏览 7 评论 0原文

如何阻止来自这样的页面的 sql 注入...http://u.neighborrow.com/items/recent

How do I block sql injections from a page like this one...http://u.neighborrow.com/items/recent

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

惯饮孤独 2024-10-08 09:44:31

如果您使用 CakePHP 的 ORM 方法(例如 find() 和 save())和正确的数组表示法(即 array('field' => $value))而不是原始 SQL,CakePHP 已经可以保护您免受 SQL 注入。为了针对 XSS 进行清理,通常最好将原始 HTML 保存在数据库中而不进行修改,并在输出/显示时进行清理。

这应该能让您很好地了解如何执行此操作。

App::import('Sanitize'); 
class MyController extends AppController {     ...     ... } 

完成此操作后,您可以静态调用 Sanitize。

CakePHP already protects you against SQL Injection if you use CakePHP's ORM methods (such as find() and save()) and proper array notation (ie. array('field' => $value)) instead of raw SQL. For sanitization against XSS its generally better to save raw HTML in database without modification and sanitize at the time of output/display.

This should give you a good idea of how to do it.

App::import('Sanitize'); 
class MyController extends AppController {     ...     ... } 

Once you've done that, you can make calls to Sanitize statically.

谁的新欢旧爱 2024-10-08 09:44:31

CakePHP 会处理它。 阅读他们的书

CakePHP takes care of it. Read their book.

瞳孔里扚悲伤 2024-10-08 09:44:31

仅在需要编写原始查询的极少数情况下才需要清理。

原始查询是:

$this->User->query("select username from users where email='$email_received_from_user_form'");

在执行之前,您需要:

App::import('Sanitize');

$email_received_from_user_form = Sanitize::paranoid($email_received_from_user_form, array('@', '_', '-', '.'));

如果使用正确的数据清理,将删除/编辑查询中的所有恶意字符(无 SQL 注入)。

请参阅此处:http://book.cakephp.org/2.0/ en/core-utility-libraries/sanitize.html

了解有关数据清理的所有信息后,尽量不要使用它。像这样使用 CakePHP 方式:

$this->User->field('username', array('email' => $email_received_from_user_form));

在这种情况下,您根本不必担心 SQL 注入。除非您没有其他选择,否则您永远不应该使用原始查询。

You need sanitize only in the rare cases where you need to write raw queries.

Raw query is:

$this->User->query("select username from users where email='$email_received_from_user_form'");

before executing that you need to:

App::import('Sanitize');

$email_received_from_user_form = Sanitize::paranoid($email_received_from_user_form, array('@', '_', '-', '.'));

If used right data sanitization will remove/edit all the malicious chars in the query (no sql injections).

See here: http://book.cakephp.org/2.0/en/core-utility-libraries/sanitize.html

After you learn all about Data Sanitization try to never use it. Use the CakePHP way like so:

$this->User->field('username', array('email' => $email_received_from_user_form));

I this case you don't have to worry about SQL injections at all. You should never use raw queries unless your don't have other choice.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文