php: 如何防止$_POST SQL注入

发布于 2024-10-04 04:32:29 字数 2248 浏览 0 评论 0原文

我有一些 php 脚本，我认为这有很多错误。因为我对连接和 SQL 注入的了解有限。第一次我没有遇到任何问题，因为这个脚本使用 PHP-Mysql。

但是当我尝试换成Interbase之后，我遇到了很多麻烦。请帮忙找出我的错。

这是我的以下查询：

$sLimit = "";
        if ( isset( $_POST['iDisplayStart'] ) )
        {
                $sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength'];
        }
$sOrder ="";
        $sOrder = " ORDER BY LINE_NAME ";
$sWhere = "";
        if (postVar('sSearch') !="" )
        {
                 $sWhere = " WHERE (LINE_NAME LIKE '%".$_POST['sSearch']."%' OR
                                MODEL_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
                               " VER_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
                               " LOT_SIZE LIKE '%".$_POST['sSearch']."%' OR ".
                               " START_SERIAL LIKE '%".$_POST['sSearch']."%' OR ".
                               " SERIAL_NO_LOW LIKE '%".$_POST['sSearch']."%' OR ".
                               " SERIAL_NO_UP LIKE '%".$_POST['sSearch']."%' OR ".
                               " PROD_NO LIKE '%".$_POST['sSearch']."%' OR ".
                               " PROD_DATE LIKE '%".$_POST['sSearch']."%') ";
        }
 $sQuery = "SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO, 
                   LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
            FROM DOC_TO".$sWhere.$sOrder.$sLimit.";";
 $rResult = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );  

 $sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
                                         LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
                                  FROM DOC_TO'.$sWhere.$sOrder.$sLimit.')";
 $rResultFilterTotal = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );
 $aResultFilterTotal = ibase_fetch_assoc($rResultFilterTotal);
 $iFilteredTotal = $aResultFilterTotal[0];

注释：我需要了解有关串联的更多信息。感谢您的帮助。

错误：

Dynamic SQL Error SQL error code = -104 Token unknown - line 3, column 39 '.. ORDER BY LINE_NAME ..'

原文

i have some php script and i think this have a lot of mistake. because of my limited knowledge in concatenation and SQL injection. At 1st time i'm not have any trouble because this script use PHP-Mysql.

But after i try to change into Interbase, i meet a lot of trouble.
Please help to identify my fault.

this my following query:

$sLimit = "";
        if ( isset( $_POST['iDisplayStart'] ) )
        {
                $sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength'];
        }
$sOrder ="";
        $sOrder = " ORDER BY LINE_NAME ";
$sWhere = "";
        if (postVar('sSearch') !="" )
        {
                 $sWhere = " WHERE (LINE_NAME LIKE '%".$_POST['sSearch']."%' OR
                                MODEL_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
                               " VER_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
                               " LOT_SIZE LIKE '%".$_POST['sSearch']."%' OR ".
                               " START_SERIAL LIKE '%".$_POST['sSearch']."%' OR ".
                               " SERIAL_NO_LOW LIKE '%".$_POST['sSearch']."%' OR ".
                               " SERIAL_NO_UP LIKE '%".$_POST['sSearch']."%' OR ".
                               " PROD_NO LIKE '%".$_POST['sSearch']."%' OR ".
                               " PROD_DATE LIKE '%".$_POST['sSearch']."%') ";
        }
 $sQuery = "SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO, 
                   LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
            FROM DOC_TO".$sWhere.$sOrder.$sLimit.";";
 $rResult = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );  

 $sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
                                         LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
                                  FROM DOC_TO'.$sWhere.$sOrder.$sLimit.')";
 $rResultFilterTotal = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );
 $aResultFilterTotal = ibase_fetch_assoc($rResultFilterTotal);
 $iFilteredTotal = $aResultFilterTotal[0];

notes: i need learn more about concatenation.thanks for advance.

error:

Dynamic SQL Error SQL error code = -104 Token unknown - line 3, column 39 '.. ORDER BY LINE_NAME ..'

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

眼泪都笑了 2024-10-11 04:32:29

看起来好像可以运行，所以如果失败，请描述如何运行。

然而，其中有一个立即可见的错误：在该行中，

$sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
                                         LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
                                  FROM DOC_TO'.$sWhere.$sOrder.$sLimit.')";

您以双引号开始一个字符串，并尝试用单引号中断该字符串，但这是行不通的。因此，代码必须是：

$sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
                                         LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
                                  FROM DOC_TO".$sWhere.$sOrder.$sLimit.")";

根据您的环境，您的代码中还存在一个重要的安全缺陷：例如，在

$sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength'];

您使用 $_POST 直接将其放入 SQL 查询的行中，这会打开所谓的 SQL 注入安全性洞。

Looks as if it could run, so if it fails please describe how.

There is, however, one immediately visible mistake in it: In the lines

$sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
                                         LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
                                  FROM DOC_TO'.$sWhere.$sOrder.$sLimit.')";

you are starting a string with double quotes and you try to interrupt the string with single quotes, which will not work. So the code must be:

$sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
                                         LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE 
                                  FROM DOC_TO".$sWhere.$sOrder.$sLimit.")";

Depending on your environment in addition there is an important security flaw in your code: For example in the line

$sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength'];

you are using $_POST to put it directly into an SQL query, which opens a so-called SQL injection security hole.

回复收藏 0 原文

雨后咖啡店 2024-10-11 04:32:29

我从 AndreKR 的指导中找到了答案：

$sLimit = "";
        if ( isset( $_POST['iDisplayStart'] ) )
        {
                settype($iDisplayStart,'integer');
                $iDisplayStart = $_POST['iDisplayStart'];
                $iDisplayLength = $_POST['iDisplayLength'];
                $sLimit = sprintf(" FIRST ".$iDisplayStart." SKIP ".$iDisplayLength);
        }

并更改所有 $_POST:

'%".$_POST['sSearch_0']."%'
into
''%".$_POST['sSearch_0']."%''   //this to prevent injection For databases Like Oracle, DB2, MS SQL, Firebird

并更改 :

$sQuery = "SELECT COUNT(*) FROM(......)
into
$sQuery = "SELECT COUNT(*) AS DCOUNT FROM DOC_TO".$sWhere.$sLimit.";"; //delete $sOrder

$aResultFilterTotal = ibase_fetch_assoc($rResultFilterTotal);
$iFilteredTotal = $aResultFilterTotal['DCOUNT'];  //change from ......[0]

并在最后一个 php 页面添加：

ibase_free_result($aResultTotal);
?>

i have found the answer from AndreKR's guidance:

$sLimit = "";
        if ( isset( $_POST['iDisplayStart'] ) )
        {
                settype($iDisplayStart,'integer');
                $iDisplayStart = $_POST['iDisplayStart'];
                $iDisplayLength = $_POST['iDisplayLength'];
                $sLimit = sprintf(" FIRST ".$iDisplayStart." SKIP ".$iDisplayLength);
        }

and change all $_POST:

'%".$_POST['sSearch_0']."%'
into
''%".$_POST['sSearch_0']."%''   //this to prevent injection For databases Like Oracle, DB2, MS SQL, Firebird

and change :

$sQuery = "SELECT COUNT(*) FROM(......)
into
$sQuery = "SELECT COUNT(*) AS DCOUNT FROM DOC_TO".$sWhere.$sLimit.";"; //delete $sOrder

$aResultFilterTotal = ibase_fetch_assoc($rResultFilterTotal);
$iFilteredTotal = $aResultFilterTotal['DCOUNT'];  //change from ......[0]

and add at the last php page: