有关PHP的简单问题
[英]Easy question about PHP
问题描述
i have an android app, that connects to a remote DB with PHP. 
我有一个Android应用程序,可使用PHP连接到远程数据库。 OK, i have it done and working, but i need something special. 好的,我已经完成并工作了,但是我需要一些特殊的东西。
I need to pass one parameter more to each PHP, and in the PHP code, i need to check if this extra parameter is equal to this word "sea", and only if it is equal, my php will do the remote DB querys. 我需要向每个PHP多传递一个参数,并且在PHP代码中,我需要检查此额外参数是否等于此单词“ sea”,并且只有在相等时,我的php才会执行远程数据库查询。 ¿why i want to do this? ¿为什么我要这样做? to make more safe my php codes, because they can be accesed by internet, but i want to add this extra parameter to certificate that only my app will do querys to the DB, because only my app knows this extra parameter "sea". 为了使我的php代码更安全,因为可以通过Internet访问它们,但是我想将此额外的参数添加到证书中,即只有我的应用程序才能对数据库进行查询,因为只有我的应用程序知道此额外的参数“ sea”。
but i dont know how to do it, because my skills on PHP are null (the phps of my app are done by a friend) 但我不知道该怎么做,因为我在PHP上的技能为空(我的应用程序的php由一位朋友完成)
can someone complete my code with the check i need? 有人可以用我需要的支票完成我的代码吗? the parameter name will be "app_password" and the correct value of the parameter will be "sea" 参数名称将为“ app_password”,参数的正确值为“ sea”
this is my php code where i need the comprobation: 这是我需要帮助的php代码:
<?php
$link =mysql_connect(("theip","theuser","thepass"););
mysql_select_db("pervasive_locations", $link );
$q=mysql_query("Delete From permission Where
fk_email1='".$_REQUEST['email1']."' and
fk_email2='".$_REQUEST['email2']."'",$link );
while($e=mysql_fetch_assoc($q))
$output[]=$e;
print(json_encode($output));
mysql_close($link);
?>
6 个解决方案
解决方案1
2 2011-01-20 12:02:54
More secure by kinda limiting MYSQL injection ... 通过限制MYSQL注入来提高安全性...
i recomment using $_POST or $_GET instead of $_REQUEST ($_POST is more secure but you have to modify your app to do POST requests instead of GET) 我建议使用$ _POST或$ _GET而不是$ _REQUEST($ _POST更安全,但是您必须修改应用程序以执行POST请求而不是GET)
<?php
if ($_REQUEST["app_password"]=='sea'){
$link =mysql_connect('localhost','database_user','database_password');
mysql_select_db("pervasive_locations", $link );
$email1=$var=str_replace('"','"',$_REQUEST['email1']);
$email1=str_replace("'",''',$email1);
$email2=$var=str_replace('"','"',$_REQUEST['email2']);
$email2=str_replace("'",''',$email2);
$q=mysql_query("Delete From permission Where fk_email1='$email1' and fk_email2='email2'",$link );
while($e=mysql_fetch_assoc($q))
$output[]=$e;
print(json_encode($output));
mysql_close($link);
}//end if
?>
解决方案2
2 2011-01-20 12:04:10
If you mean pass the parameter to the PHP by the url, you can fetch it from the $_GET superglobal. 如果您是通过URL将参数传递给PHP,则可以从$ _GET超全局变量中获取它。 For example, if the parameter is named 'param': 例如,如果参数名为“ param”:
if(isset($_GET['param']) && $_GET['param'] == 'sea') {
// rest of your code
}
解决方案3
2 已采纳 2011-01-20 12:07:28
3 tier answer.... 3层答案。
Part 1 第1部分
The solution you need is to check the query string parameters on the call, something like this: 您需要的解决方案是检查调用中的查询字符串参数,如下所示:
if ($_GET['app_password'] == 'sea')
{
.... Do your DB query ....
}
This would work if you called: 如果您致电,这将起作用:
http://www.mysite.com/dodbquery.php?app_password=sea
but would not work if you called 但如果您打电话给我就行不通
http://www.mysite.com/dodbquery.php?app_password=air
http://www.mysite.com/dodbquery.php
http://www.mysite.com/dodbquery.php?foobar=sea
Part 2 - Possibly the more important part 第2部分-可能是更重要的部分
The 'solution' above is all well and good, however this is not going to give you any real security - the URL can be seen, and therefore reused, by any intermediary (between the mobile device and your webserver). 上面的“解决方案”很好,但是并不能为您提供任何真正的安全性-任何中介(在移动设备和Web服务器之间)都可以看到URL,因此可以重复使用该URL。
The same would apply if you used post instead of get, any intermediary would be able to see the content of the post and therefore replay it. 如果您使用发布而不是获取,则同样适用,任何中间人都可以看到发布的内容,因此可以重播。
There are a myriad potential solutions, the simplest IMHO (without reworking scripts etc) is to use post to pass the "password" and do this over SSL. 有无数潜在的解决方案,最简单的恕我直言(无需重新编写脚本等)是使用post传递“密码”并通过SSL进行此操作。 This means that only the client and the server get to see the plaintext post data and therefore an intermediary cannot see your 'secret' key. 这意味着只有客户端和服务器才能看到纯文本发布数据,因此中间人无法看到您的“秘密”密钥。 As an added bonus you could do time sensitive secret keys, so from 1am to 2am you use 'pass1', 2am to 3am you use 'pass2' etc etc. You could also use something similar for the actual key as well (ie app_password) 另外,您可以使用时间敏感型密钥,因此从凌晨1点至凌晨2点使用“ pass1”,从凌晨2点至凌晨3点使用“ pass2”等。您也可以对实际密钥使用类似的东西(即app_password)
You could also check that the device making the call is a mobile device, easily spoofable though. 您还可以检查拨打电话的设备是否是可欺骗的移动设备。
Part 3 - Definately the more important part 第三部分-绝对是最重要的部分
The code sample you posted above is vunerable to SQL injection. 您上面发布的代码示例很容易受到SQL注入的影响。 In summary this means that somebody could inject additional SQL (ie drop table my_really_important)table) into your code and this would be executed without question. 总之,这意味着有人可以向您的代码中注入其他SQL(即drop table my_really_important)表,这将毫无疑问地执行。 You should always verify the inputs to the script to ensure that somebody isn't attempting to 'hack' your script. 您应该始终验证脚本的输入,以确保没有人试图“破解”您的脚本。 As an example your script seems to indicate that the remote inputs are email addresses. 例如,您的脚本似乎表明远程输入是电子邮件地址。 So your code should verify that these are indeed email address. 因此,您的代码应验证这些确实是电子邮件地址。 For example: 例如:
$email1Valid = VerifyEmail($_REQUEST['email1']);
$email2Valid = VerifyEmail($_REQUEST['email2']);
if ((!$email1Valid) || (!$email2Valid))
{
...abort as emails are not valid...
}
else if ($_GET['app_password'] == 'sea')
{
.... Do your DB query (and SQL escape the input emails) ....
}
else
{
.... Abort as your secret password was not passed correctly ....
}
function VerifyEmail($email)
{
return (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email))
}
More information on SQL injection can be found here: 有关SQL注入的更多信息,可以在这里找到:
http://php.net/manual/en/security.database.sql-injection.php http://php.net/manual/zh/security.database.sql-injection.php
解决方案4
0 2011-01-20 12:04:36
Assuming I understand what you need, you could do this: 假设我了解您的需求,则可以执行以下操作:
<?php
// assuming you're posting, but you can change it to $_GET['app_password] if you're not
$pass = $_POST['app_password'];
if($pass == 'sea') {
$link =mysql_connect(("theip","theuser","thepass"););
mysql_select_db("pervasive_locations", $link );
$q=mysql_query("Delete From permission Where
fk_email1='".$_REQUEST['email1']."' and
fk_email2='".$_REQUEST['email2']."'",$link );
while($e=mysql_fetch_assoc($q))
$output[]=$e;
print(json_encode($output));
mysql_close($link);
}
?>
解决方案5
0 2011-01-20 12:08:58
Quite Easy man, 很容易的人,
you need to use a control structure, if in this case 在这种情况下,您需要使用控制结构
<?php
/* Here you start the if condition to verify the parameter
First, you need to GET your value */
$param = $_GET['app_password'];
if ($param == 'sea') {
$link =mysql_connect(("theip","theuser","thepass"););
mysql_select_db("pervasive_locations", $link );
$q=mysql_query("Delete From permission Where
fk_email1='".$_REQUEST['email1']."' and
fk_email2='".$_REQUEST['email2']."'",$link );
while($e=mysql_fetch_assoc($q))
$output[]=$e;
print(json_encode($output));
mysql_close($link);
} /* Here you close your IF statement. */
?>
解决方案6
0 2011-01-20 12:10:41
if you passing by $_GET: 如果您通过$ _GET:
if ( isset ( $_GET ['secret_word'] ) && $_GET ['secret_word'] == 'sea') {
// your code
}
or if you passing by $_POST ( most save from all three ) 或者如果您通过$ _POST(大多数三个都保存)
if ( isset ( $_POST ['secret_word'] ) && $_POST ['secret_word'] == 'sea') {
// your code
}
or 要么
if ( isset ( $_REQUEST ['secret_word'] ) && $_REQUEST ['secret_word'] == 'sea') {
// your code
}
and go to http://php.net/manual/en/security.database.sql-injection.php to read about SQL injection, because your code is like open Pandora Box 并访问http://php.net/manual/zh-cn/security.database.sql-injection.php以了解有关SQL注入的信息,因为您的代码就像打开的Pandora Box一样
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.