简体   繁体   English

在AJAX请求中可能进行SQL注入?

[英]Possible SQL Injection in AJAX request?

I am developing search indexing using PHP and AJAX to make it powerful. 我正在使用PHP和AJAX开发搜索索引以使其功能强大。 When I scan it using burpsuit or other security scanner, SQL injection appears in AJAX code and I can't find any solution for it. 当我使用burpsuit或其他安全扫描程序扫描它时,SQL注入出现在AJAX代码中,我找不到任何解决方案。 The code is below: 代码如下:

<?php

require_once 'Connections/connect.php';

if($_GET['type'] == 'mobile'){
    $result = mysql_query("SELECT mobilep FROM dictionary where mobilep LIKE '".$_GET['name_startsWith']."%'"); 
    $data = array();
    while ($row = mysql_fetch_array($result)) {
        array_push($data, $row['mobilep']); 
    }   
    echo json_encode($data);
}


?>

This is very bad ... you're using the deprecated mysql adapter. 这是非常糟糕的 ...您正在使用不建议使用的mysql适配器。

http://php.net/manual/en/book.pdo.php http://php.net/manual/zh/book.pdo.php

Use pdo and binds, here's a full prototype: 使用pdo和binds,这是一个完整的原型:

class MySql
{
    private $sDbName      = '';
    private $sUsername    = '';
    private $sPassword    = '';
    private $sHost        = '';
    private $oConnection  = null;
    public function __construct()
    {
        $this->oConnection = new PDO( 
            'mysql:host=' 
            . $this->sHost 
            . ';dbname=' 
            . $this->sDbName, 
            $this->sUsername, 
            $this->sPassword 
            );
    }
    public function getDb()
    {
        return $this->oConnection;
    }
}
$aReturn[ 'data' ] = '';
if( !empty( $_GET[ 'type' ] )
    && ( !empty( $_GET[ 'name_startsWith' ] ) 
    && ( $_GET['type'] == 'mobile' ) 
    )
{
    $oMySql = new MySql;
    $oDb = $oMySql->getDb();
    $sSql = "SELECT mobilep FROM dictionary where mobilep LIKE :name";
    $aBinds[ ':name' ] = $_GET[ 'name_startsWith' ] . '%';

    $oStmp = $oDb->prepare( $sSql );
    $oMySql->bindVariables( $oStmp, $aBinds );
    $oStmp->execute();
    $oResults = $oStmp->fetchall();
    if( !empty( $oResults ) )
    {
        // var_dump( $aResults );
        $oErrors = $oStmp->errorInfo();
        // var_dump( $oErrors );
        $aReturn[ 'data' ] = $aResults;
    }
}
$sJson = json_encode( $aReturn, 1 );
header( 'Content-type', 'application/json' );
echo $sJson;

(Yes, this is question over a year old. But there is no selected answer. I ran across this question in a search...) (是的,这是一个多岁的问题。但是没有选择的答案。我在搜索中遇到了这个问题...)

If you are stuck with mysql_ interface functions, and can't migrate to mysqli or PDO, the best you can do is to use the mysql_real_escape_string function. 如果您受制于mysql_接口函数,并且无法迁移到mysqli或PDO,则最好的办法是使用mysql_real_escape_string函数。

existing code: 现有代码:

= mysql_query(" ... LIKE '". $_GET['name_startsWith'] ."%'");

to properly escape a potentially unsafe value, before it's incorporated into the SQL text, use the mysql_real_escape_string function... 要在将其合并到SQL文本之前正确转义潜在的不安全值,请使用mysql_real_escape_string函数...

= mysql_query(" ... LIKE '". mysql_real_escape_string( $_GET['name_startsWith'] )."%'");
                             ^^^^^^^^^^^^^^^^^^^^^^^^^                          ^

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM