堆栈内存溢出
  简体   繁体   English

防止SQL注入

[英]Protect from SQL injection

 原文  2012-07-24 00:26:44       php/ filtering/ sql-injection

问题描述

I am trying to learn php and want to use a function to protect form agains SQL injection! 我正在尝试学习php并希望使用一个函数来保护表单再次SQL注入! But somehow form record my db every data which contains any special chars like '"=)/()/*/ 但不知何故形成记录我的数据库每个包含任何特殊字符的数据,如'“=)/()/ * /

My filter function: 我的过滤功能: 

function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}

Register Page to get POST datas: 注册页面以获取POST数据: 

foreach($_POST as $key => $value) {
    $data[$key] = filter($value);
}

Then i am trying special characters and form save them! 然后我尝试特殊字符和形式保存! What i an doing wrong? 我做错了什么?

4 个解决方案

解决方案1
 4 已采纳  2012-07-24 00:29:40

If you want to protect against SQL injection, the best approach is to use PDO and prepared queries, where all user-provided data is passed in via execute() , like this: 如果要防止SQL注入,最好的方法是使用PDO和准备好的查询,其中所有用户提供的数据都通过execute()传入,如下所示: 

$stmt = $pdo->prepare("INSERT INTO foo (a_column, b_column) VALUES (:a, :b)");
$stmt->execute(array(':a' => $a, ':b' => $b));

You do not have to perform any manipulation on $a or $b ; 您不必对$a$b执行任何操作; PDO will bind the parameters the right way, no matter which database you are using. 无论您使用哪个数据库,PDO都会以正确的方式绑定参数。

解决方案2
 2  2012-07-24 00:31:49

Erm... the point of preventing SQL injection is to continue to allow the user to type whatever they like, without it putting the server or other users at risk. 嗯...防止SQL注入的目的是继续允许用户键入他们喜欢的内容,而不会让服务器或其他用户面临风险。 htmlspecialchars is a good place to start, as it takes things that look like HTML tags and renders them inoccuous. htmlspecialchars是一个很好的起点,因为它看起来像HTML标签并使它们变得无用。 The stripslashes you used is good, although the latest version of PHP removed magic quotes. 你使用的stripslashes是好的,虽然最新版本的PHP删除了魔术引号。 mysql_real_escape_string allows you to insert anything in the database in the form of a string with reasonable safety. mysql_real_escape_string允许您以合理的安全性以字符串的形式在数据库中插入任何内容。

So your filter function should look like: 所以你的过滤器功能应如下所示: 

function filter($data) {
    if( get_magic_quotes_gpc()) $data = stripslashes($data);
    return trim(mysql_real_escape_string(htmlspecialchars($data));
}

Now, if you actually want a filter , as in one that only allows certain characters, use a regex function such as preg_match . 现在,如果你真的想要一个过滤器 ,就像只允许某些字符一样的过滤器 ,请使用preg_match等正则表达式函数。

解决方案3
 0  2012-07-24 00:31:26

Stop using mysql_* functions as they're deprecated. 不推荐使用mysql_ *函数,因为它们已被弃用。 Use PHP database objects (PDO) instead because PDO allows parameter binding which protects you from sql injection. 使用PHP数据库对象(PDO),因为PDO允许参数绑定,以保护您免受SQL注入。

You can read up on using PDO here 您可以在此处阅读使用PDO

解决方案4
 0  2012-07-24 00:34:02

Also consider to check against regex if not using framework. 如果不使用框架,还要考虑检查正则表达式。 Examples: http://www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks 示例: http//www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何保护PHP中的此SQL免受SQL注入? - How to protect this SQL in a PHP from SQL Injection? 如何保护ODBC查询免受SQL注入 - How to protect an ODBC query from SQL injection 网站登录是否可以保护网站免受SQL注入? - Will a site login protect a site from SQL Injection? 如何保护此代码免受sql注入? - How to protect this code from sql injection? 保护laravel上的SQL注入 - protect SQL injection on laravel 防止SQL注入 - Protect against SQL injection Zend_DB / Doctrine是否可以保护我免受SQL注入? - Does Zend_DB / Doctrine protect me from SQL injection? 如何保护SQL条目免受“元”注入? - how do I protect an sql entry from a “meta” injection? 如何从SQL注入中保护此代码? 有点困惑 - How can I protect this code from SQL Injection? A bit confused 使用php时如何防止SQL注入? - how to protect from sql injection when using php?id=
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM