当前位置: 文江博客话题详情

PHP MySQL 触发器 - 如何将变量传递给触发器?

发布于 2024-12-09 08:06:28 字数 638 浏览 0 评论 0原文

我试图找到如何将查询中的变量发送到触发器,但这会影响第二个表。我使用它来创建一个日志表,其中更新或插入的任何内容都会记录在日志表中例如

//Inserts into the table the username and password
$sql = "INSERT INTO table VALUES ($_POST['username'], $_SESSION['password']);

触发 DDL 语句

DELIMITER $$

//Creates trigger to insert into table1 ( logs ) the userid and patientid ( which has to come from php )
USE `baemer_emr`$$

CREATE
DEFINER=`baemer_emr`@`localhost`
TRIGGER `table1`.`after_insert`
AFTER INSERT ON `baemer_emr`.`table1`
FOR EACH ROW
BEGIN
  INSERT INTO table2 VALUES (NEW.idn, $_POST[userid], $_SESSION[patientid]);
END$$

这可能吗?

原文

I'm trying to find how to send variables in a query to the trigger, but it's going to affect a second table. I'm using this to create a log table, in which anything that gets updated or inserted gets recorded in the log table For example

//Inserts into the table the username and password
$sql = "INSERT INTO table VALUES ($_POST['username'], $_SESSION['password']);

Trigger DDL Statements

DELIMITER $

//Creates trigger to insert into table1 ( logs ) the userid and patientid ( which has to come from php )
USE `baemer_emr`$

CREATE
DEFINER=`baemer_emr`@`localhost`
TRIGGER `table1`.`after_insert`
AFTER INSERT ON `baemer_emr`.`table1`
FOR EACH ROW
BEGIN
  INSERT INTO table2 VALUES (NEW.idn, $_POST[userid], $_SESSION[patientid]);
END$

Is this possible?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

深者入戏 2024-12-16 08:06:28

修复 SQL 注入

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = "INSERT INTO table1 VALUES ('username','password'); 
// You must quote your $vars       ^        ^ ^        ^  like this
// or syntax errors will occur and the escaping will not work!.

请注意,在数据库中存储未加密的密码是一项重大罪过。
请参阅下文了解如何解决该问题。

触发器不允许参数
您只能访问刚刚插入表中的值。
插入触发器有一个用于此目的的虚拟表new
删除触发器有一个虚拟表old来查看要删除的值。
更新触发器同时具有oldnew

除此之外,您无法访问任何外部数据。

DELIMITER $    

//Creates trigger to insert into table1 ( logs ) the userid and patientid ( which has to come from php )    

CREATE    
TRIGGER ai_table1_each AFTER INSERT ON `baemer_emr`.`table1`    
FOR EACH ROW    
BEGIN    
  INSERT INTO table2 VALUES (NEW.idn, NEW.username, NEW.patientid);    
END$

解决方案
创建黑洞表。
黑洞表不存储任何内容,它们存在的唯一原因是为了复制目的,因此您可以将触发器附加到它们。

CREATE TABLE bh_newusers (
  username varchar(255) not null,
  password varchar(255) not null,
  idn integer not null,
  patient_id integer not null,
  user_id integer not null) ENGINE = BLACKHOLE;

接下来将数据插入黑洞表并使用触发器进行处理。

CREATE    
TRIGGER ai_bh_newuser_each AFTER INSERT ON `baemer_emr`.bh_newuser
FOR EACH ROW    
BEGIN    
  DECLARE newsalt INTEGER;
  SET newsalt = FLOOR(RAND()*999999);
  INSERT INTO users (username, salt, passhash) 
    VALUES (NEW.username, newsalt, SHA2(CONCAT(newsalt, password), 512));
  INSERT INTO table2 VALUES (NEW.idn, NEW.username, NEW.patient_id);
END$

触发器注释
您永远不应该将密码以明文形式存储在数据库中。
始终使用最安全的哈希函数(当前为密钥长度为 512 的 SHA2)将它们存储为加盐哈希,如触发器中所示。
您可以通过执行以下操作来测试某人是否拥有正确的密码:

SELECT * FROM user 
WHERE username = '$username' AND passhash = SHA2(CONCAT(salt,'$password'),512)

链接
http://dev.mysql.com/doc/ refman/5.0/en/blackhole-storage-engine.html
http://dev.mysql.com/doc/refman/ 5.0/en/create-trigger.html
在 MySQL 中存储哈希密码
“Bobby Tables”XKCD 漫画中的 SQL 注入是如何工作的?

Fix that SQL-injection

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$sql = "INSERT INTO table1 VALUES ('username','password'); 
// You must quote your $vars       ^        ^ ^        ^  like this
// or syntax errors will occur and the escaping will not work!.

Note that storing unencrypted passwords in a database is a cardinal sin.
See below on how to fix that.

Triggers do not allow parameters
You can only access the values you just inserted into the table.
The Insert trigger has a dummy table new for this.
The Delete triger has a dummy table old to see the values that are to be deleted.
The Update trigger has both old and new.

Other than that you cannot access any outside data.

DELIMITER $    

//Creates trigger to insert into table1 ( logs ) the userid and patientid ( which has to come from php )    

CREATE    
TRIGGER ai_table1_each AFTER INSERT ON `baemer_emr`.`table1`    
FOR EACH ROW    
BEGIN    
  INSERT INTO table2 VALUES (NEW.idn, NEW.username, NEW.patientid);    
END$

The solution
Create a blackhole table.
Blackhole tables to not store anything, their only reason to exist is for replication purposes and so you can attach triggers to them.

CREATE TABLE bh_newusers (
  username varchar(255) not null,
  password varchar(255) not null,
  idn integer not null,
  patient_id integer not null,
  user_id integer not null) ENGINE = BLACKHOLE;

Next insert data into the blackhole table and process that using a trigger.

CREATE    
TRIGGER ai_bh_newuser_each AFTER INSERT ON `baemer_emr`.bh_newuser
FOR EACH ROW    
BEGIN    
  DECLARE newsalt INTEGER;
  SET newsalt = FLOOR(RAND()*999999);
  INSERT INTO users (username, salt, passhash) 
    VALUES (NEW.username, newsalt, SHA2(CONCAT(newsalt, password), 512));
  INSERT INTO table2 VALUES (NEW.idn, NEW.username, NEW.patient_id);
END$

Notes on the trigger
You should never store passwords in the clear in a database.
Always store them as a salted hash using the safest hash function (currently SHA2 with a 512 key length) , as shown in the trigger.
You can test to see if someone has the correct password by doing:

SELECT * FROM user 
WHERE username = '$username' AND passhash = SHA2(CONCAT(salt,'$password'),512)

Links
http://dev.mysql.com/doc/refman/5.0/en/blackhole-storage-engine.html
http://dev.mysql.com/doc/refman/5.0/en/create-trigger.html
Storing hashed passwords in MySQL
How does the SQL injection from the "Bobby Tables" XKCD comic work?

回复 原文
行雁书 2024-12-16 08:06:28

我不认为是这样。

您可以将 useridpatentid 列添加到 VALUES 表中,在原始插入期间填充它们,然后在插入到您的表中时在触发器中引用这些列。日志表。

alter table `baemer_emr`.`table1` add userId varchar(100);

alter table `baemer_emr`.`table1` add patientId int unsigned;

然后是触发器:

DELIMITER $

//Creates trigger to insert into table1 ( logs )
USE `baemer_emr`$

CREATE
DEFINER=`baemer_emr`@`localhost`
TRIGGER `table1`.`after_insert`
AFTER INSERT ON `baemer_emr`.`table1`
FOR EACH ROW 
BEGIN
  INSERT INTO table2 VALUES (NEW.idn, NEW.userId, NEW.patientId);
END$

DELIMITER ;

I don't think it is.

You could add userid and patientid columns to the VALUES table, populate them during the original insert and then reference those within the trigger when inserting into your log table.

alter table `baemer_emr`.`table1` add userId varchar(100);

alter table `baemer_emr`.`table1` add patientId int unsigned;

and then the the trigger:

DELIMITER $

//Creates trigger to insert into table1 ( logs )
USE `baemer_emr`$

CREATE
DEFINER=`baemer_emr`@`localhost`
TRIGGER `table1`.`after_insert`
AFTER INSERT ON `baemer_emr`.`table1`
FOR EACH ROW 
BEGIN
  INSERT INTO table2 VALUES (NEW.idn, NEW.userId, NEW.patientId);
END$

DELIMITER ;
回复 原文
~没有更多了~

关于作者

淡写薰衣草的香

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Gabu-gabumon

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

荔枝明

文章 0 评论 0

赏烟花じ飞满天

文章 0 评论 0

独守阴晴ぅ圆缺

文章 0 评论 0

¤→小豸慧

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文