[英]Is this form using radio buttons safe from SQL Injection?
I'm trying to make a dynamic search feature on my website, where the user can choose to look up claim information based on ID, Make, Model, or Date.我正在尝试在我的网站上创建动态搜索功能,用户可以选择根据 ID、Make、Model 或日期查找索赔信息。 There is a search bar to type in the data and the radio buttons provide the search filter.有一个搜索栏可以输入数据,单选按钮提供搜索过滤器。
I'm wondering if my simple if-statement approach has vulnerabilities to SQL injection since I'm passing in the variable directly as the column name (PDO won't let you pass this value in as a parameter as I understand it)我想知道我的简单 if 语句方法是否存在 SQL 注入的漏洞,因为我直接将变量作为列名传递(据我所知,PDO 不会让你将此值作为参数传递)
HTML CODE: HTML 代码:
<form method="POST" action="find-claims.php">
<label for="find-claim">Find Claim:</label>
<input type="search" id="claim-search-bar" name="claim-search-bar"><br/>
<input type="radio" value="by-id" class="radio-param" name="search-param" checked><label for="by-id">By Claim Id</label>
<input type="radio" value="by-make" class="radio-param" name="search-param"><label for="by-make">By Vehicle Make</label>
<input type="radio" value="by-model" class="radio-param" name="search-param"><label for="by-model">By Vehicle Model</label>
<input type="radio" value="by-date" class="radio-param" name="search-param"><label for="by-date">By Claim Date</label>
<input type="submit" class="radio-param" value="Submit">
</form>
PHP CODE: PHP 代码:
// Get search data
$searchVal = $_POST["claim-search-bar"];
// Get radio value
$searchType = $_POST["search-param"];
// Store search type into db-naming scheme
$radioVal = "";
if($searchType == "by-id"){
$radioVal = "claim_id";
}
else if($searchType == "by-make"){
$radioVal = "make";
}
else if($searchType == "by-model"){
$radioVal = "model";
}
else if($searchType == "by-date"){
$radioVal = "date_received";
}
// DB Interaction
try{
// Connection to DB
require "../db-info.php";
$dbh = new PDO("mysql:host=$serverName; dbname=$dbName", $userName, $password);
$dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
// Get Claim based off dynamic input
$getClaim = $dbh->prepare("SELECT * FROM claims WHERE $radioVal = ?");
$getClaim->bindParam(1, $searchVal);
$getClaim->execute();
$claimInfo = $getClaim->fetchAll();
// Checks if DB returned any data
if($claimInfo){
// Display corresponding info
}
else{
echo "sorry no claim found";
}
$dbh = null;
$stmt = null;
} catch(PDOException $e){
throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
You can store the search values in the array.您可以将搜索值存储在数组中。 Along with removing the useless try-catch it will make your code two times less bloated.除了删除无用的 try-catch 外,它还会使您的代码膨胀两倍。
// Get search data
$searchVal = $_POST["claim-search-bar"];
// Get radio value
$searchType = $_POST["search-param"];
// Store search type into db-naming scheme
$searchValues = [
"by-id" => "claim_id",
"by-make" => "make",
"by-model" => "model",
"by-date") => "date_received",
];
$radioVal = $searchValues[$searchType] ?? "claim_id";
// Connection to DB
require "../db-info.php";
// the connection code should really go into include
// Get Claim based off dynamic input
$getClaim = $dbh->prepare("SELECT * FROM claims WHERE $radioVal = ?");
$getClaim->execute([$searchVal]);
$claimInfo = $getClaim->fetchAll();
// Checks if DB returned any data
if($claimInfo){
// Display corresponding info
}
else{
echo "sorry no claim found";
}
Because $radioVal
is only assigned literal values you wrote in your code, and it is never assigned any untrusted content, it is safe with respect to SQL injection.因为$radioVal
只分配了您在代码中编写的文字值,并且从未分配过任何不受信任的内容,所以对于 SQL 注入来说是安全的。
However, I recommend you give it a better default other than ""
.但是,我建议您给它一个比""
更好的默认值。 Because if none of the known values for $searchType
are matched, then $radioVal
will remain ""
and you'll get an SQL statement of:因为如果$searchType
的任何已知值都不匹配,则$radioVal
将保持为""
并且您将获得 SQL 语句:
SELECT * FROM claims WHERE = ?
That'll be a syntax error.那将是一个语法错误。 It won't be due to SQL injection, but it won't work.这不会是由于 SQL 注入,但它不会工作。
And by the way, you do not need to sanitize $searchVal
.顺便说一句,您不需要清理$searchVal
。 That's the point of using a bound parameter, that it is bound after the query is prepared, so it cannot introduce SQL injection.这就是使用绑定参数的意义,它是在准备好查询之后绑定的,所以它不能引入 SQL 注入。 It doesn't matter if it's sanitized or not.是否消毒并不重要。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.