如何避免CodeIgniter中的SQL注入?

发布于 2024-11-04 17:56:15 字数 392 浏览 5 评论 0原文

有没有什么方法可以在配置文件中设置以避免SQL注入?我使用此代码来选择值:

$this->db->query("SELECT * FROM tablename WHERE var='$val1'");

这用于插入值:

$this->db->query("INSERT INTO  tablename (`var1`,`var2`) VALUES ('$val1','$val2')");

用于从数据库插入和选择值的另一种方法是 CodeIgniter 的 insert()get() 方法。使用 CodeIgniter 的内置函数时是否有机会进行 SQL 注入

Is there any method to set in config file to avoid SQL injection? I am using this code for selecting values:

$this->db->query("SELECT * FROM tablename WHERE var='$val1'");

And this for inserting values:

$this->db->query("INSERT INTO  tablename (`var1`,`var2`) VALUES ('$val1','$val2')");

Another method used to insert and select values from the database is CodeIgniter's insert() and get() methods. Is any chance to SQL injection while using CodeIgniter's bulit-in functions

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

誰認得朕 2024-11-11 17:56:16

CodeIgniter 的 Active Record 方法会自动为您转义查询,以防止 sql 注入。

$this->db->select('*')->from('tablename')->where('var', $val1);
$this->db->get();

或者

$this->db->insert('tablename', array('var1'=>$val1, 'var2'=>$val2));

如果您不想使用 Active Records,则可以使用查询绑定以防止注射。

$sql = 'SELECT * FROM tablename WHERE var = ?';
$this->db->query($sql, array($val1));

或者,要插入,您可以使用 insert_string()方法。

$sql = $this->db->insert_string('tablename', array('var1'=>$val1, 'var2'=>$val2));
$this->db->query($sql);

还有 escape() 方法,如果您更喜欢运行自己的查询。

$val1 = $this->db->escape($val1);
$this->db->query("SELECT * FROM tablename WHERE var=$val1");

CodeIgniter's Active Record methods automatically escape queries for you, to prevent sql injection.

$this->db->select('*')->from('tablename')->where('var', $val1);
$this->db->get();

or

$this->db->insert('tablename', array('var1'=>$val1, 'var2'=>$val2));

If you don't want to use Active Records, you can use query bindings to prevent against injection.

$sql = 'SELECT * FROM tablename WHERE var = ?';
$this->db->query($sql, array($val1));

Or for inserting you can use the insert_string() method.

$sql = $this->db->insert_string('tablename', array('var1'=>$val1, 'var2'=>$val2));
$this->db->query($sql);

There is also the escape() method if you prefer to run your own queries.

$val1 = $this->db->escape($val1);
$this->db->query("SELECT * FROM tablename WHERE var=$val1");
天气好吗我好吗 2024-11-11 17:56:16

您可以使用

$this->db->escape()

方法..

$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($omgomg).")";

此处列出了其他方法。

http://codeigniter.com/user_guide/database/queries.html

you can use

$this->db->escape()

method..

$sql = "INSERT INTO table (title) VALUES(".$this->db->escape($omgomg).")";

other methods are listed here.

http://codeigniter.com/user_guide/database/queries.html

溺孤伤于心 2024-11-11 17:56:16

您应该尽量避免将查询直接写入字符串,然后将它们传递给查询函数。更好的选择是使用 Active Record 类,它将为您构建查询并转义值。 http://codeigniter.com/user_guide/database/active_record.html

如果你想无论出于何种原因避免使用 Active Record 类,那么您可以查看数据库类的 Codeigniter 文档,该类具有转义方法,用于在将值传递给查询方法之前转义您的值。 http://www.codeignitor.com/user_guide/database/queries.html

You should try to avoid writing your queries directly into a string and then passing them to the query function. A better option would be to use the Active Record class which will build your queries for you and escape the values. http://codeigniter.com/user_guide/database/active_record.html

If you want to avoid using the Active Record class for whatever reason then you can view the Codeigniter documentation for the database class which has an escape method for escaping your values before passing them to the query method. http://www.codeignitor.com/user_guide/database/queries.html

Ben

稀香 2024-11-11 17:56:16

在从客户端接受值时,最好使用此代码,

$client = $this->input->post('client',TRUE);

在插入时最好使用 codeigniter 插入方法,

$this->db->insert('tablename',$values);

当使用此方法时,codeingniter 会自动执行所有转义,因此我们无需手动执行转义。

While accepting value from client side, Better to use this code,

$client = $this->input->post('client',TRUE);

While inserting better to use codeigniter inserting method,

$this->db->insert('tablename',$values);

When using this method codeingniter automatically do all escape so we no need do escape manual.

寻找我们的幸福 2024-11-11 17:56:16

在代码点火器中:
有 2 个操作可以防止 SQL 注入。
对于那些对 Web 编程感兴趣的人来说,Web 编程中的另一种安全漏洞可能是致命的,因为它可以暴露应用程序数据库的内部,它就是 SQL 注入。

再次值得庆幸的是,Codeigniter 有能力处理它。但不幸的是,我合作过的许多 CI 程序员(甚至是你)确实(或可能)忘记了这两个操作以防止任何 SQL 注入情况。

坚持使用 ActiveRecord 功能
第一件事是在任何情况下都不要使用这样的完整查询来处理数据查询:

$this->db->query("select * from users where user=$user and password=$password")

当涉及到用户时,您不知道 $user 或 $password 变量中到底是什么故意做错事。即使 XSS 清理程序也无法处理在其中输入引号、分号或破折号字符组合的人。
因此,在这种情况下,您需要学习 Active Record 这个东西,因为它具有专门用于防止 SQL 注入的输入清理功能。别担心,它支持像这样的函数链接:

$this->db->select('title')->from('mytable')->where('id', $id)->limit(10, 20);

$query = $this->db->get();

但是请记住,如果您仍然在活动记录函数内部组合通常的(部分)查询函数,它就不会工作,如下所示:

$query = $this->db->where("title LIKE '%$input%'");

实际上可以像这样更改。

$query = $this->db->like("title", $input);

重点是,充分利用 CodeIgniter Active Record 的所有可能性,并且不要搞乱它。

但如果这不起作用,还有一个替代方案
如果您有一个很长的查询并且懒得将其转换为 Active Record 的样式,您可以使用此函数手动清理您的输入:

$sanitised_title = $this->db->escape($title);

// For use inside LIKE query

$sanitised_title = $this->db->escape_like_str($title);

并且您可以安全地将清理/转义的输入连接到您的询问。

In CodeIgniter:
There are 2 action to prevent SQL Injection.
For those who are novelty in web programming, another kind of security hole in web programming which can be fatal because it can expose your inner side of application’s database, it is SQL Injection.

And thankfully again, Codeigniter has capability to deal with it. But unfortunately, many of CI programmer I collaborated (and even you) did (or might) forget this two action to prevent any circumstances of SQL injection.

Stick with ActiveRecord capability
The first thing is do not in any circumstances dealing with querying the data by using full query like this :

$this->db->query("select * from users where user=$user and password=$password")

You don’t know what exactly inside $user or $password variable when it comes to user who will do deliberately the wrong thing. Even XSS sanitiser won’t deal with someone who inputs combination of quote, semicolon or dash character in it.
So in this case, you need to learn this Active Record thing because it has input sanitiser capability dedicated to prevent SQL injection. And don’t worry, it support kind of function chaining like this :

$this->db->select('title')->from('mytable')->where('id', $id)->limit(10, 20);

$query = $this->db->get();

But remember, it won’t work if you still do combining usual (partially) query function inside of active record function like this :

$query = $this->db->where("title LIKE '%$input%'");

Which actually could be changed like this.

$query = $this->db->like("title", $input);

The point is, use every bit of possibility of CodeIgniter’s Active Record and don’t mess with it.

But If that ain’t work, there is an alternative
If you have a very long query and don’t bother to convert it to Active Record’s style, you can sanitised your input manually by using this function :

$sanitised_title = $this->db->escape($title);

// For use inside LIKE query

$sanitised_title = $this->db->escape_like_str($title);

And you can safely concatenate the sanitised/escaped input inside your query.

人间☆小暴躁 2024-11-11 17:56:16

您可以检查您的 var 是否仅包含数字字母,这意味着您的 var 必须采用您定义的格式。
在将其插入查询之前

You can check if you var contain only letters of numbers, meaning you var mast be in you defined format.
before you insert it into the query

南汐寒笙箫 2024-11-11 17:56:16

CodeIgniter 提供内置函数和库来防止这种情况:

$this->db->escape();

该函数自动在数据周围添加单引号并确定数据类型,以便它只能转义字符串数据。

CodeIgniter provides inbuilt functions and libraries to prevent this :

$this->db->escape();

This function automatically adds single quotes around the data and determines the data type so that it can escape only string data.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文