我的代码是否容易受到此 LIKE 子句的 SQL 注入攻击?
我正在使用 jQuery 和 PHP 进行实时搜索,但我不确定我的查询是否容易受到 SQL 注入的攻击。
在 jQuery 的帮助下输入字符时,数据将发布到 PHP 文件中。
$searchData = $_POST['searchData'];
$searchResult = mysql_query("SELECT * FROM songs WHERE songname LIKE '$searchData%' ");
echo $searchResult;
这是否容易受到 SQL 注入攻击?
I'm doing a live search with jQuery and PHP but I'm not sure if my query is vulnerable to SQL injection.
The data is posted into a PHP file while typing characters with the help of jQuery.
$searchData = $_POST['searchData'];
$searchResult = mysql_query("SELECT * FROM songs WHERE songname LIKE '$searchData%' ");
echo $searchResult;
Is this vulnerable to SQL injection?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(7)
是的,请考虑
$searchData是否为:Yes, consider if
$searchDatais:使用 mysql_real_escape_string($_POST['searchData']) 或 [PDO] 代替 mysql_*
use
mysql_real_escape_string($_POST['searchData']), or [PDO] instead mysql_*如果
$searchData没有在任何地方被转义,那么是的,它很容易受到攻击。If
$searchDataisn't being escaped anywhere, then yes, it's vulnerable.每当您获取用户输入并放入查询中时,都应该通过
mysql_real_escape_string。安全总比后悔好。Anytime you are taking user input and putting into a query, you should pass it through
mysql_real_escape_string. Better safe than sorry.既然你可以使用工具来操作发送的 $_POST 数据,是的,这是危险的。
要么逃避它,要么使用不需要的 php 数据对象 (PDO)任何转义都是你此时应该使用的。
Since you can use tools to manipulate sent $_POST data, yes, it is dangerous.
Either you escape it or use php data objects (PDO) which doesn't need ANY escaping and is what you should use anyway in this time.
是的,它很容易受到攻击。但是其他响应者没有注意到,除了正常的转义(如
mysql_real_escape_string())之外,您还需要转义 % 字符LIKE 子句!这里要掌握的技巧是不存在“通用引用”。
引用时,您总是引用某些特定输出的文本,例如:
likemysql 查询的表达式对于每种情况,您需要不同的引用,因为每种用法都存在于不同的语法上下文中。这也意味着不应在 PHP 的输入处进行引用,而应在特定的输出处进行引用!这就是像
magic_quotes_gpc这样的功能被破坏的原因(永远不要忘记处理它,或者更好,确保它被关闭!!!)。那么,在这些特殊情况下,人们会使用什么方法来引用呢? (请随意纠正我,可能有更现代的方法,但这些对我有用)
mysql_real_escape_string($str)mysql_real_escape_string(addcslashes($str, "%_"))< /code>htmlspecialchars($str)json_encode()- 仅适用于 utf8!我将我的函数用于 iso-8859-2mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}'))- 在这种情况下你不能使用 preg_quote 因为反斜杠将被转义两次!preg_quote()Yes, it is vulnerable. But other responders failed to note that along with the normal escaping (like
mysql_real_escape_string()) you also need to escape the % character for LIKE clause!The trick to grasp here is that there is nothing like "universal quoting".
When quoting, you always quote text for some particular output, like:
likeexpression for mysql queryFor each case, you need different quoting, because each usage is present within different syntax context. This also implies that the quoting shouldn't be made at the input into PHP, but at the particular output! Which is the reason why features like
magic_quotes_gpcare broken (never forget to handle it, or better, assure it is switched off!!!).So, what methods would one use for quoting in these particular cases? (Feel free to correct me, there might be more modern methods, but these are working for me)
mysql_real_escape_string($str)mysql_real_escape_string(addcslashes($str, "%_"))htmlspecialchars($str)json_encode()- only for utf8! I use my function for iso-8859-2mysql_real_escape_string(addcslashes($str, '^.[]$()|*+?{}'))- you cannot use preg_quote in this case because backslash would be escaped two times!preg_quote()是的,你可以使用这个:
Yes You can use this :