php: 如何防止$_POST SQL注入
我有一些 php 脚本,我认为这有很多错误。因为我对连接和 SQL 注入的了解有限。第一次我没有遇到任何问题,因为这个脚本使用 PHP-Mysql。
但是当我尝试换成Interbase之后,我遇到了很多麻烦。 请帮忙找出我的错。
这是我的以下查询:
$sLimit = "";
if ( isset( $_POST['iDisplayStart'] ) )
{
$sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength'];
}
$sOrder ="";
$sOrder = " ORDER BY LINE_NAME ";
$sWhere = "";
if (postVar('sSearch') !="" )
{
$sWhere = " WHERE (LINE_NAME LIKE '%".$_POST['sSearch']."%' OR
MODEL_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
" VER_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
" LOT_SIZE LIKE '%".$_POST['sSearch']."%' OR ".
" START_SERIAL LIKE '%".$_POST['sSearch']."%' OR ".
" SERIAL_NO_LOW LIKE '%".$_POST['sSearch']."%' OR ".
" SERIAL_NO_UP LIKE '%".$_POST['sSearch']."%' OR ".
" PROD_NO LIKE '%".$_POST['sSearch']."%' OR ".
" PROD_DATE LIKE '%".$_POST['sSearch']."%') ";
}
$sQuery = "SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE
FROM DOC_TO".$sWhere.$sOrder.$sLimit.";";
$rResult = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );
$sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE
FROM DOC_TO'.$sWhere.$sOrder.$sLimit.')";
$rResultFilterTotal = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );
$aResultFilterTotal = ibase_fetch_assoc($rResultFilterTotal);
$iFilteredTotal = $aResultFilterTotal[0];
注释:我需要了解有关串联的更多信息。感谢您的帮助。
错误:
Dynamic SQL Error SQL error code = -104 Token unknown - line 3, column 39 '.. ORDER BY LINE_NAME ..'
i have some php script and i think this have a lot of mistake. because of my limited knowledge in concatenation and SQL injection. At 1st time i'm not have any trouble because this script use PHP-Mysql.
But after i try to change into Interbase, i meet a lot of trouble.
Please help to identify my fault.
this my following query:
$sLimit = "";
if ( isset( $_POST['iDisplayStart'] ) )
{
$sLimit = " FIRST ".$_POST['iDisplayStart']." SKIP ".$_POST['iDisplayLength'];
}
$sOrder ="";
$sOrder = " ORDER BY LINE_NAME ";
$sWhere = "";
if (postVar('sSearch') !="" )
{
$sWhere = " WHERE (LINE_NAME LIKE '%".$_POST['sSearch']."%' OR
MODEL_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
" VER_ONLY LIKE '%".$_POST['sSearch']."%' OR ".
" LOT_SIZE LIKE '%".$_POST['sSearch']."%' OR ".
" START_SERIAL LIKE '%".$_POST['sSearch']."%' OR ".
" SERIAL_NO_LOW LIKE '%".$_POST['sSearch']."%' OR ".
" SERIAL_NO_UP LIKE '%".$_POST['sSearch']."%' OR ".
" PROD_NO LIKE '%".$_POST['sSearch']."%' OR ".
" PROD_DATE LIKE '%".$_POST['sSearch']."%') ";
}
$sQuery = "SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE
FROM DOC_TO".$sWhere.$sOrder.$sLimit.";";
$rResult = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );
$sQuery = "SELECT COUNT(*) FROM (SELECT LINE_NAME, MODEL_ONLY, VER_ONLY, PROD_NO,
LOT_SIZE, START_SERIAL, SERIAL_NO_LOW, SERIAL_NO_UP, PROD_DATE
FROM DOC_TO'.$sWhere.$sOrder.$sLimit.')";
$rResultFilterTotal = ibase_query( $sQuery) or _doError(_ERROR30 . ' (<small>' . htmlspecialchars($sql) . '</small>): ' . ibase_errmsg() );
$aResultFilterTotal = ibase_fetch_assoc($rResultFilterTotal);
$iFilteredTotal = $aResultFilterTotal[0];
notes: i need learn more about concatenation.thanks for advance.
error:
Dynamic SQL Error SQL error code = -104 Token unknown - line 3, column 39 '.. ORDER BY LINE_NAME ..'
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
看起来好像可以运行,所以如果失败,请描述如何运行。
然而,其中有一个立即可见的错误:在该行中,
您以双引号开始一个字符串,并尝试用单引号中断该字符串,但这是行不通的。因此,代码必须是:
根据您的环境,您的代码中还存在一个重要的安全缺陷:例如,在
您使用 $_POST 直接将其放入 SQL 查询的行中,这会打开所谓的 SQL 注入安全性洞。
Looks as if it could run, so if it fails please describe how.
There is, however, one immediately visible mistake in it: In the lines
you are starting a string with double quotes and you try to interrupt the string with single quotes, which will not work. So the code must be:
Depending on your environment in addition there is an important security flaw in your code: For example in the line
you are using $_POST to put it directly into an SQL query, which opens a so-called SQL injection security hole.
我从 AndreKR 的指导中找到了答案:
并更改所有 $_POST:
并更改 :
并在最后一个 php 页面添加:
i have found the answer from AndreKR's guidance:
and change all $_POST:
and change :
and add at the last php page: