PHP MYSQL 不安全基于错误的注入
<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'parser.php';
$sql = "SELECT
topic_id,
topic_subject
FROM
topics
WHERE
topics.topic_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
if(!$result)
{
echo 'The topic could not be displayed, please try again later.';
}
else
//check for sign in status
if(!$_SESSION['signed_in'])
{
echo 'You must be signed in!';
header( 'Location:signin.php' ) ;
}
else
{
if(mysql_num_rows($result) == 0)
{
echo 'This topic doesn′t exist.';
}
else
{
while($row = mysql_fetch_assoc($result))
{
//display post data
echo '<table class="topic" border="1">
<tr>
<th colspan="2">' . $row['topic_subject'] . '</th>
</tr>';
//fetch the posts from the database
$posts_sql = "SELECT
posts.post_topic,
posts.post_content,
posts.post_date,
posts.post_by,
users.user_id,
users.user_name
FROM
posts
LEFT JOIN users ON posts.post_by = users.user_id
LEFT JOIN topics ON topics.topic_by = users.user_name
WHERE
posts.post_topic = " . mysql_real_escape_string($_GET['id']);
$posts_result = mysql_query($posts_sql);
if(!$posts_result)
{
echo '<tr><td>The posts could not be displayed, please try again later.</tr></td></table>';
}
else
{
$parser = new parser; // start up Recruiting Parsers
while($posts_row = mysql_fetch_assoc($posts_result))
{
// parsesBBCode
$parsed = $parser->p($posts_row['post_content']);
echo '<tr class="topic-post">
<td class="user-post">' . $posts_row['user_name'] . '<br/>' . date('d-m-Y H:i', strtotime($posts_row['post_date'])) . '</td>
<td class="post-content">' . $parsed. '</td>
</tr>';
}
}
if(!$_SESSION['signed_in'])
{
echo '<tr><td colspan=2>You must be <a href="signin.php">signed in</a> to reply. You can also <a href="signup.php">sign up</a> for an account.';
}
else
{
//show reply box
echo '<tr><td colspan="2"><h2>Reply:</h2><br />
<form method="post" action="reply.php?id=' . $row['topic_id'] . '">
<textarea name="reply-content"></textarea><br /><br />
<input type="submit" value="Submit reply" />
</form></td></tr>';
}
//finish the table
echo '</table>';
}
}
}
include 'footer.php';
?>
基于错误的 SQL 注入适用于我的代码,我无法弄清楚我的错误在哪里,我的意思是一切功能正常,但我的代码肯定容易受到攻击。我可以在此代码中使用哪些更好的做法来保护它。这是一个简单的论坛脚本,我正在使用 mysql 来学习 php。
<?php
//create_cat.php
include 'connect.php';
include 'header.php';
include 'parser.php';
$sql = "SELECT
topic_id,
topic_subject
FROM
topics
WHERE
topics.topic_id = " . mysql_real_escape_string($_GET['id']);
$result = mysql_query($sql);
if(!$result)
{
echo 'The topic could not be displayed, please try again later.';
}
else
//check for sign in status
if(!$_SESSION['signed_in'])
{
echo 'You must be signed in!';
header( 'Location:signin.php' ) ;
}
else
{
if(mysql_num_rows($result) == 0)
{
echo 'This topic doesn′t exist.';
}
else
{
while($row = mysql_fetch_assoc($result))
{
//display post data
echo '<table class="topic" border="1">
<tr>
<th colspan="2">' . $row['topic_subject'] . '</th>
</tr>';
//fetch the posts from the database
$posts_sql = "SELECT
posts.post_topic,
posts.post_content,
posts.post_date,
posts.post_by,
users.user_id,
users.user_name
FROM
posts
LEFT JOIN users ON posts.post_by = users.user_id
LEFT JOIN topics ON topics.topic_by = users.user_name
WHERE
posts.post_topic = " . mysql_real_escape_string($_GET['id']);
$posts_result = mysql_query($posts_sql);
if(!$posts_result)
{
echo '<tr><td>The posts could not be displayed, please try again later.</tr></td></table>';
}
else
{
$parser = new parser; // start up Recruiting Parsers
while($posts_row = mysql_fetch_assoc($posts_result))
{
// parsesBBCode
$parsed = $parser->p($posts_row['post_content']);
echo '<tr class="topic-post">
<td class="user-post">' . $posts_row['user_name'] . '<br/>' . date('d-m-Y H:i', strtotime($posts_row['post_date'])) . '</td>
<td class="post-content">' . $parsed. '</td>
</tr>';
}
}
if(!$_SESSION['signed_in'])
{
echo '<tr><td colspan=2>You must be <a href="signin.php">signed in</a> to reply. You can also <a href="signup.php">sign up</a> for an account.';
}
else
{
//show reply box
echo '<tr><td colspan="2"><h2>Reply:</h2><br />
<form method="post" action="reply.php?id=' . $row['topic_id'] . '">
<textarea name="reply-content"></textarea><br /><br />
<input type="submit" value="Submit reply" />
</form></td></tr>';
}
//finish the table
echo '</table>';
}
}
}
include 'footer.php';
?>
Error based sql injection works on my code and I cannot figure out where my mistakes are at I mean everything is functional but my code is vulnerable for sure. What are some better practices I could use within this code to secure it. This is a simple forum script I am working on to lean php with mysql.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
好吧,对于一个
mysql_real_escape_string转义您的字符串,但它并不引用它。您应该像这样使用它(在一般情况下):在这种特定情况下,您还可以使用 intval (恕我直言,更具描述性)和/或切换 sprintf >
%d的参数说明符。Well, for one
mysql_real_escape_stringescapes your string, but it doesn't also quote it. You should be using it like this (in the general case):In this specific case, you could also use
intval(which is IMHO more descriptive) and/or switch thesprintfargument specifier to%d.不要使用 PHP 的“mysql”库,而是考虑使用 PHP 的“PDO”或“mysqli”库。
查看这篇文章以获得很好的解释和 PDO 建议:
如何防止 PHP 中的 SQL 注入?
看看这个对于 mysqli:
http://devzone.zend.com/article/686
Instead of using PHP's "mysql" library, consider using PHP's "PDO" or "mysqli" libraries.
Check out this post for a good explanation and PDO recommendation:
How can I prevent SQL injection in PHP?
Check this out for mysqli:
http://devzone.zend.com/article/686