在人们将访问的页面上运行此查询是否安全?
抱歉,这可能是一个非常愚蠢的问题,但是在人们将要查看的页面上运行此代码是否安全,或者我应该将其包装到一个函数中并调用它?
$stmt = $db->prep_stmt("select * from .... where userid = ? and username = ?");
/* Binding 2 parameters. */
$stmt->bind_param("is", $userid, $username);
/* Binding 2 result. */
$stmt->bind_result($isbn, $title, $author, $coef, $bookid);
/* Executing the statement */
$stmt->execute( ) or die ("Could not execute statement");
/*
* Making PHP buffer the whole result,
* not recommended if there is a blob or
* text field as PHP eats loads of memory
*/
$stmt->store_result();
while ($stmt->fetch()) {
/*
* Here you can use the variables $isbn, $title, $author, $coef, $bookid,
* which contatin the data for 1 row.
*/
print "<tr>".
"<td>".$isbn."</td>".
"<td>".$title."</td>".
"<td>".$author."</td>".
"</tr><tr><td>";
}
Sorry, this is probably a really stupid question, but is it safe to run this code on the page the people will be viewing, or should I wrap this into a function instead and call it?
$stmt = $db->prep_stmt("select * from .... where userid = ? and username = ?");
/* Binding 2 parameters. */
$stmt->bind_param("is", $userid, $username);
/* Binding 2 result. */
$stmt->bind_result($isbn, $title, $author, $coef, $bookid);
/* Executing the statement */
$stmt->execute( ) or die ("Could not execute statement");
/*
* Making PHP buffer the whole result,
* not recommended if there is a blob or
* text field as PHP eats loads of memory
*/
$stmt->store_result();
while ($stmt->fetch()) {
/*
* Here you can use the variables $isbn, $title, $author, $coef, $bookid,
* which contatin the data for 1 row.
*/
print "<tr>".
"<td>".$isbn."</td>".
"<td>".$title."</td>".
"<td>".$author."</td>".
"</tr><tr><td>";
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
从安全角度来看,它们是相同的。这是软件设计的问题。但是,您可能需要考虑更好的错误处理(至少对于生产而言)。具体来说,实际上没有必要泄漏错误的原因(“无法执行语句”)。通常,您需要一个通用错误页面(“抱歉,服务器有问题!请尝试转到主页。”)。
They will be the same from a security point of view. It's a question of software design. However, you may want to consider better error handling (at least for production). Specifically, it's not really necessary to leak the cause of the error ("Could not execute statement"). Usually, you want a generic error page ("Sorry, the server's having problems! Try going to the home page.").
如果我错了,请纠正我,但您似乎担心人们可以查看您的 PHP 代码,但您将其放在不同的文件中,并且
他们不会看到任何有意义的内容,对吗?
该代码是否是一个函数并不重要。即使在人们“查看”的 PHP 上,他们也看不到代码,只能看到渲染的 HTML。在 php 标签之间,影响用户点击“查看源代码”时可以看到的内容的唯一内容是回显或打印或其他内容。
尝试在这里查看 PHP,我敢! http://lirr42.mta.info/schedules.php (这只是一个随机示例,与其他任何东西相比没有什么特别的)
您需要担心的安全问题是输入和 SQL 注入。看来你的参数化可以处理这个问题。我可以想象表单中的用户名或用户 ID,并且您需要确保某些混蛋不会输入像
blah' OR 1=1这样的用户名并作弊。您准备好的语句和参数绑定应该可以处理该问题。如果您不确定可以使用 mysql_real_escape 进行清理Correct me if im wrong, but you seem to be concerned that people can view your PHP code, but that you put it in a different file and did
they wouldnt't see anything meaningful, correct?
Whether or not that code is a function away doesn't matter. Even on PHPs that people 'view' they don't get to see the code, just the HTML that gets rendered. Between the php tags, the only stuff that effects what the user can see if they were to hit 'view source' is stuff that gets echoed or printed or whatever.
Try to view the PHP here, I dare you! http://lirr42.mta.info/schedules.php (this is just a random example, no special compared to anything else)
What you need to worry about it security wise is the input and SQL injection. It seems that your parameterization handles that. I would imagine either that user name or user id from a form, and you need to make sure that some jerk doesnt enter a username like
blah' OR 1=1and cheat. Your prepared statement and parameter binding should handle that. If you are unsure you can sanitize withmysql_real_escape