[英]Possible SQL Injection in AJAX request?
I am developing search indexing using PHP and AJAX to make it powerful. 我正在使用PHP和AJAX开发搜索索引以使其功能强大。 When I scan it using burpsuit or other security scanner, SQL injection appears in AJAX code and I can't find any solution for it.
当我使用burpsuit或其他安全扫描程序扫描它时,SQL注入出现在AJAX代码中,我找不到任何解决方案。 The code is below:
代码如下:
<?php
require_once 'Connections/connect.php';
if($_GET['type'] == 'mobile'){
$result = mysql_query("SELECT mobilep FROM dictionary where mobilep LIKE '".$_GET['name_startsWith']."%'");
$data = array();
while ($row = mysql_fetch_array($result)) {
array_push($data, $row['mobilep']);
}
echo json_encode($data);
}
?>
This is very bad ... you're using the deprecated mysql adapter. 这是非常糟糕的 ...您正在使用不建议使用的mysql适配器。
http://php.net/manual/en/book.pdo.php
http://php.net/manual/zh/book.pdo.php
Use pdo and binds, here's a full prototype: 使用pdo和binds,这是一个完整的原型:
class MySql
{
private $sDbName = '';
private $sUsername = '';
private $sPassword = '';
private $sHost = '';
private $oConnection = null;
public function __construct()
{
$this->oConnection = new PDO(
'mysql:host='
. $this->sHost
. ';dbname='
. $this->sDbName,
$this->sUsername,
$this->sPassword
);
}
public function getDb()
{
return $this->oConnection;
}
}
$aReturn[ 'data' ] = '';
if( !empty( $_GET[ 'type' ] )
&& ( !empty( $_GET[ 'name_startsWith' ] )
&& ( $_GET['type'] == 'mobile' )
)
{
$oMySql = new MySql;
$oDb = $oMySql->getDb();
$sSql = "SELECT mobilep FROM dictionary where mobilep LIKE :name";
$aBinds[ ':name' ] = $_GET[ 'name_startsWith' ] . '%';
$oStmp = $oDb->prepare( $sSql );
$oMySql->bindVariables( $oStmp, $aBinds );
$oStmp->execute();
$oResults = $oStmp->fetchall();
if( !empty( $oResults ) )
{
// var_dump( $aResults );
$oErrors = $oStmp->errorInfo();
// var_dump( $oErrors );
$aReturn[ 'data' ] = $aResults;
}
}
$sJson = json_encode( $aReturn, 1 );
header( 'Content-type', 'application/json' );
echo $sJson;
(Yes, this is question over a year old. But there is no selected answer. I ran across this question in a search...) (是的,这是一个多岁的问题。但是没有选择的答案。我在搜索中遇到了这个问题...)
If you are stuck with mysql_ interface functions, and can't migrate to mysqli or PDO, the best you can do is to use the mysql_real_escape_string function. 如果您受制于mysql_接口函数,并且无法迁移到mysqli或PDO,则最好的办法是使用mysql_real_escape_string函数。
existing code: 现有代码:
= mysql_query(" ... LIKE '". $_GET['name_startsWith'] ."%'");
to properly escape a potentially unsafe value, before it's incorporated into the SQL text, use the mysql_real_escape_string
function... 要在将其合并到SQL文本之前正确转义潜在的不安全值,请使用
mysql_real_escape_string
函数...
= mysql_query(" ... LIKE '". mysql_real_escape_string( $_GET['name_startsWith'] )."%'");
^^^^^^^^^^^^^^^^^^^^^^^^^ ^
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.