我的代码是否安全,不会受到 SQL 注入的影响
这是我当前的代码
$search=$_GET["Search"];
$search = addcslashes(mysql_real_escape_string($search), '%_');
此代码是由 DREAMWEAVER CS4 从这里生成的
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
mysql_select_db($database_Echos, $Echos);
SQL 语句查询数据库
$query_Recordset1 = "SELECT catelogue.ARTIST, catelogue.TITLE, catelogue.`CAT NO.`, catelogue.FORMAT, catelogue.`IMAGE PATH` FROM catelogue WHERE catelogue.TITLE LIKE '%$search%'";
更多 Dremweaver 代码
$Recordset1 = mysql_query($query_Recordset1, $Echos) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
在此之后,数据以表格格式显示
我还是新手这一切,最近几天发现,你可以将语句放入我的搜索词中,并毁掉 8 个月的数据库工作。这并不是说数据库没有备份,但我宁愿安全也不抱歉。
我读过,准备好的语句是阻止这种情况的最佳方法 如何我可以防止 PHP 中的 SQL 注入吗?。
但正如我所说,我对此很陌生,对此了解甚少。
所以简单地说,DW 创建的代码足够安全,
是否应该更改一些内容以使其更简单
?如果不够安全,我该如何使其更安全?
我在这里使用准备好的语句吗?如果是的话,有人可以在这里解释一下如何使用它
请提供任何帮助,我们将不胜感激
This is my current code as it stands
$search=$_GET["Search"];
$search = addcslashes(mysql_real_escape_string($search), '%_');
THIS CODE WAS GENERATED BY DREAMWEAVER CS4 FROM HERE ON
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
mysql_select_db($database_Echos, $Echos);
SQL Satement that Querys the db
$query_Recordset1 = "SELECT catelogue.ARTIST, catelogue.TITLE, catelogue.`CAT NO.`, catelogue.FORMAT, catelogue.`IMAGE PATH` FROM catelogue WHERE catelogue.TITLE LIKE '%$search%'";
More Dremweaver code
$Recordset1 = mysql_query($query_Recordset1, $Echos) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
After this the data gets displayed in a table format
I'm still new to this all and in recent days have found out that you can put staements into my search term and destroy 8 months of database work. It's not like the db isn't backed up but I'd like to rather be safe then sorry.
I have read that a prepared statement is the best way to stop this How can I prevent SQL injection in PHP?.
But as I said I'm new to this and have very little understanding of this.
So Simple put is my code that DW created safe enough
Are there things that should change to make it simpler
And if it's not safe enough how do I make it safer?
Do I use a prepared staement here? If so can someone please explain how to use it here
Please any help would be much appreciated
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的代码遭受了很多不良做法的困扰,但它并不像我习惯看到的常见 PHP 代码那样完全不安全或完全糟糕。
简而言之 - 您不想使用 PHP 的
mysql_函数。您应该做的是使用 PDO。mysql_real_escape_string是安全的,但不是 100%。要获得更好的解释,请参阅解释何时 mysql_real_escape_string 容易受到攻击的链接。因此,您要做的就是使用 PDO 创建准备好的语句,然后绑定输入值。 PDO 根据所使用的字符集和数据库来清理它们,这使得它 100% 安全,不用担心您是否错过了某些内容。
Your code is suffering from a lot of bad practices, but it isn't totally insecure or totally bad as the usual pieces of PHP code I'm used to seeing.
To put it in simple terms - you don't want to use PHP's
mysql_functions. What you should do is use PDO.mysql_real_escape_stringis safe but not 100%. For better explanation refer to the link that explains when mysql_real_escape_string is vulnerable.So what you would do is create prepared statements with PDO and then you bind the input values. PDO cleans them according to the character set and database being used, which makes it 100% safe and without worrying whether you missed out on something or not.