PHP-防止在INSERT STATEMENT上进行SQL注入
[英]PHP - Preventing SQL Injection on INSERT STATEMENT
问题描述
I'll keep this short and simple, I am trying to apply some code to my insert query to prevent SQL injections. 
我将保持简短和简单,我尝试将一些代码应用于我的插入查询以防止SQL注入。 See the code below: 请参见下面的代码:
$insertquery = mysql_query("INSERT INTO users (firstname, lastname, email, username, password) VALUES ('".mysql_real_escape_string($fname)."', '".mysql_real_escape_string($lname)."', '".mysql_real_escape_string($email)."', '".mysql_real_escape_string($username)."', .'".mysql_real_escape_string($pass)."')");
header("location:index-login-page.php?msg1=Thank you for choosing SIAA, please login.");
The above code does not insert any data but it still prints the msg1 message. 上面的代码不插入任何数据,但仍显示msg1消息。 What am I doing wrong or is it even possible to prevent SQL injections on an insert statement. 我在做什么错,甚至有可能防止在插入语句上进行SQL注入。
Thank You 谢谢
Sohail. 苏海尔。
2 个解决方案
解决方案1
3 已采纳 2015-11-03 11:31:46
Use PDO and prepared queries.Use prepared statements and parameterized queries. 使用PDO和准备好的查询,使用准备好的语句和参数化查询。 These are SQL statements that are sent to and parsed by the database server separately from any parameters. 这些是独立于任何参数发送到数据库服务器并由数据库服务器解析的SQL语句。 This way it is impossible for an attacker to inject malicious SQL.Have a look at below example. 这样一来,攻击者就不可能注入恶意SQL,请看下面的示例。
($conn is a PDO object)
$conn = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass');
$conn->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $conn->prepare("INSERT INTO users VALUES(:firstname, :lastname)");
$stmt->bindValue(':firstname', $firstname);
$stmt->bindValue(':lastname', $lastname);
$stmt->execute();
解决方案2
1 2015-11-03 11:33:52
Use prepared statements, this will solve the problem in any case. 使用准备好的语句,无论如何都可以解决问题。 In this way the user input is beeing send seperatly and has no way of tampering with the Query. 这样,用户输入就会被单独发送,并且无法篡改查询。
http://php.net/manual/de/mysqli.quickstart.prepared-statements.php http://php.net/manual/de/mysqli.quickstart.prepared-statements.php
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.