[英]Hiding PHP URL Parameters that come from the database
so I'm a noob to PHP and I am trying to secure my url parameters that use PHP to gain unique pages, and currently they are open to cross site scripting and wondered how I could fix this? 因此,我是PHP的菜鸟,并且我尝试保护使用PHP来获取唯一页面的网址参数,目前它们对跨站点脚本开放,并且想知道如何解决此问题?
<?php if ($result = $link->query("SELECT league_name, role, start_date,
end_date, joincode, active
FROM leagues
WHERE unique_id='$unique_id'", MYSQLI_USE_RESULT))
while($row = $result->fetch_assoc()){ ?>
<tbody>
<tr>
<td scope="row" data-label="League Name"><a class="action" href="leagueinfo.php?league_name=<?php echo $row['league_name']; ?>&joincode=<?php echo $row['joincode']; ?>"><?php echo $row['league_name'] ?></a></td>
</tr>
<?php } $result->close(); ?>
</tbody>
</table>
<?php mysqli_close($link); ?>
So I need to find a way to make sure this doesn't happen: 所以我需要找到一种方法来确保不会发生这种情况:
You can use PDO, prepared statements provide a good way of protection against SQL injection: 1. Prepare your query with empty values as placeholders. 您可以使用PDO,准备好的语句为防止SQL注入提供了一种很好的方法:1.使用空值作为占位符准备查询。 2. Bind values to the placeholders.
2.将值绑定到占位符。 3. Execute your query.
3.执行查询。
//PDO
$stmt = $link->prepare("SELECT league_name, role, start_date, end_date, joincode, active FROM leagues WHERE unique_id=:id");
$stmt->bindParam(':id', $id);
$stmt->execute();
There are a few different values that need to be encoded: 有一些不同的值需要编码:
$unique_id
should be escaped for MySQL, or the query should be parameterized instead. $unique_id
对于MySQL应该转义,或者应该对查询进行参数化。 (See prepared statements .) (请参阅准备好的语句 。)
league_name
and joincode
inside the url should be url encoded, which also happens to remove html special characters. url中的
league_name
和joincode
应该使用url编码,这也会删除html特殊字符。 (See rawurlencode ) (请参阅rawurlencode )
league_name
in the anchor text should be html encoded (see htmlspecialchars ). 锚文本中的
league_name
应该是html编码的(请参阅htmlspecialchars )。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.