防止 SQL 注入
可能的重复:
在 PHP 中停止 SQL 注入的最佳方法
在 PHP 中当向数据库提交字符串时,我应该使用 htmlspecialchars() 处理非法字符还是使用正则表达式?
昨天我问了一个关于脚本不起作用的问题,而我最终自己解决了这个问题。有人谈论 SQL 注入风险。
所以我今天要问的是,使用下面插入的代码,如何防止 SQL 注入?
所以任何指导建议。我知道我可以在网上阅读有关 SQL 注入的内容,但是有很多相互冲突的文章,我不知道哪个是正确的,哪个是错误的。
这是代码,这一切都放在它自己的页面中,让我们说“form-process.php”,然后表单将数据提交给例如
<?
session_start();
$_SESSION['Title'] = stripslashes($_REQUEST['Title']);
$_SESSION['ShortTitle'] = stripslashes($_REQUEST['Title']);
$_SESSION['Category'] = stripslashes($_REQUEST['Category']);
$_SESSION['Story'] = stripslashes($_REQUEST['Story']);
$_SESSION['FrontPage'] = stripslashes($_REQUEST['FrontPage']);
$_SESSION['imagefilename'] = ($_FILES['image']['name']);
if (empty($_REQUEST['Title'])) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=0");
exit;
} elseif (empty($_REQUEST['ShortTitle'])) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=1");
exit;
} elseif (strlen($_REQUEST['Category']) < 1) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=2");
exit;
} elseif (empty($_REQUEST['Story'])) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=3");
exit;
} else {
include("settings.php");
include("dbconnect.php");
if($_POST['btnSubmit'] == 'Publish'){
$target = "../../../images/matchreports/uploaded/";
$target = $target . time() . '-' . basename( $_FILES['image']['name']);
if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
$image=time() . '-' . basename( $_FILES['image']['name']);
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(y) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Publishing 1");
header("Location: /cms/matchreports/index.php?message=4");
exit;
} else {
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Publishing 2");
header("Location: /cms/matchreports/index.php?message=5");
exit;}}
if($_POST['btnSubmit'] == 'Save draft'){
$target = "../../../images/matchreports/uploaded/";
$target = $target . time() . '-' . basename( $_FILES['image']['name']);
if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
$image=time() . '-' . basename( $_FILES['image']['name']);
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Saving Draft 1");
header("Location: /cms/matchreports/index.php?message=6");
exit;
} else {
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Saving Draft 2");
header("Location: /cms/matchreports/index.php?message=7");
exit;}}
if($_POST['btnSubmit'] == 'Publish changes'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News");
header("Location: /cms/matchreports/index.php?message=8");
exit;}
if($_POST['btnSubmit'] == 'Publish draft to website'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News");
header("Location: /cms/matchreports/index.php?message=9");
exit;}
if($_POST['btnSubmit'] == 'Save changes to draft'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST ['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . n . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News");
header("Location: /cms/matchreports/index.php?message=10");
exit;}
}?>
Possible Duplicates:
Best way to stop SQL Injection in PHP
In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?
Yesterday I asked a question with regards to a script not working, whilst I in the end solved the issue myself. There was talk of SQL Injections risks.
So what I'm asking today is, with the code I have inserted below, how would one prevent SQL Injections?
So any advice of guidence. I know I can read the internet about SQL injections but there is so many conflicting articles on it, I don't know which is correct or not.
Here is the code, this is all put in a page of it's own lets say 'form-process.php' which the form then submits the data to e.g
<?
session_start();
$_SESSION['Title'] = stripslashes($_REQUEST['Title']);
$_SESSION['ShortTitle'] = stripslashes($_REQUEST['Title']);
$_SESSION['Category'] = stripslashes($_REQUEST['Category']);
$_SESSION['Story'] = stripslashes($_REQUEST['Story']);
$_SESSION['FrontPage'] = stripslashes($_REQUEST['FrontPage']);
$_SESSION['imagefilename'] = ($_FILES['image']['name']);
if (empty($_REQUEST['Title'])) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=0");
exit;
} elseif (empty($_REQUEST['ShortTitle'])) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=1");
exit;
} elseif (strlen($_REQUEST['Category']) < 1) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=2");
exit;
} elseif (empty($_REQUEST['Story'])) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=3");
exit;
} else {
include("settings.php");
include("dbconnect.php");
if($_POST['btnSubmit'] == 'Publish'){
$target = "../../../images/matchreports/uploaded/";
$target = $target . time() . '-' . basename( $_FILES['image']['name']);
if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
$image=time() . '-' . basename( $_FILES['image']['name']);
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(y) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Publishing 1");
header("Location: /cms/matchreports/index.php?message=4");
exit;
} else {
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Publishing 2");
header("Location: /cms/matchreports/index.php?message=5");
exit;}}
if($_POST['btnSubmit'] == 'Save draft'){
$target = "../../../images/matchreports/uploaded/";
$target = $target . time() . '-' . basename( $_FILES['image']['name']);
if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
$image=time() . '-' . basename( $_FILES['image']['name']);
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Saving Draft 1");
header("Location: /cms/matchreports/index.php?message=6");
exit;
} else {
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
$result = @mysql_query($SQL) or die("Error Saving Draft 2");
header("Location: /cms/matchreports/index.php?message=7");
exit;}}
if($_POST['btnSubmit'] == 'Publish changes'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News");
header("Location: /cms/matchreports/index.php?message=8");
exit;}
if($_POST['btnSubmit'] == 'Publish draft to website'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News");
header("Location: /cms/matchreports/index.php?message=9");
exit;}
if($_POST['btnSubmit'] == 'Save changes to draft'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST ['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . n . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News");
header("Location: /cms/matchreports/index.php?message=10");
exit;}
}?>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
使用 PDO 和准备好的语句。
Use PDO and prepared statements.
我喜欢应用的一个简单、通用的规则是:
始终存储原始数据,并在需要时将其转义以用于适当的应用程序。
这意味着,摆脱模糊的
stripslashes(),并且:对于 SQL 语句中的字符串值,使用数据库适当的转义函数,例如
mysqli_real_escape_string(),对于
system()类型的命令名称,使用escapeshellcmd(),对于参数,使用escapeshellarg(),如果要手动组装 GET 请求 URL,请使用
urlencode(),最后要打印 HTML 结构中的内容,请使用
htmlentities()。盲目地使用某种损坏并希望它能过滤掉不好的东西是没有意义的。意识到你在做什么,并在每一步中做适当的事情。
示例:要打印带有用户提供的 GET 参数的链接,您需要执行
重要说明:对于 SQL 查询,通常最好使用准备好的语句 而不是手动构建查询。这是一种与您习惯的技术不同的技术,因此这不是直接的“我该如何解决这个问题”的答案,但它是迄今为止更好的解决方案。
A simple, universal rule I like to apply is this:
Always store data raw, and escape it for the appropriate application when needed.
This means, get rid of nebulous
stripslashes(), and:for string values in SQL statements, use the database's appropriate escape function, e.g.
mysqli_real_escape_string(),for
system()-type command names, useescapeshellcmd(), for arguments useescapeshellarg(),for manually assembling GET request URLs, use
urlencode(), and finallyfor printing content in an HTML structure, use
htmlentities().There's no point in blindly using some sort of mangling and hoping it'll filter out bad things. Be conscious of what you're doing, and do the appropriate thing at every step.
Example: To print a link with a user-provided GET parameter, you'd do
Important note: For SQL queries, it is generally preferable to use prepared statements rather than building queries by hand. This is a different technology from what you're used to, so it's not the straight "how do I fix this" answer, but it is by far the better solution.