如何在Joomla 2.5中使查询SQL Injection安全
[英]How to make a query sql Injection safe in Joomla 2.5
问题描述
How can I make this query sql injection safe please? 
我怎样才能使这个查询SQL注入安全? Will JRequest::getVar ensure that the parameter that is passed is sql injection safe? JRequest :: getVar是否可以确保传递的参数是sql注入安全的?
$product_id = JRequest::getVar('product_id')
$db = JFactory::getDBO();
$query = " select * from #__products where product_id=".$product_id."; ";
$db->setQuery($query);
$data = $db->loadObjectList();
return $data[0];
2 个解决方案
解决方案1
3 2012-08-17 05:24:44
Just as an extension of @Sudhir's answer. 就像@Sudhir答案的扩展一样。
JRequest has been depreciated since Joomla! 自Joomla起, JRequest已贬值! 1.7 and is being progressively removed eg Potential backward compatibility issues in Joomla 3.0 . 1.7,并且正在逐步删除,例如Joomla 3.0中潜在的向后兼容性问题 。 If you intend to keep your component around you may want to migrate your old style JRequest calls to JInput . 如果您打算保留组件,则可能需要将旧样式的JRequest调用迁移到JInput 。
解决方案2
2 已采纳 2012-08-17 04:20:29
Yes, using getVar function to access request variables, will ensure that all user data is filtered before it's used somewhere else (such as in SQL queries). 是的,使用getVar函数访问请求变量将确保在所有用户数据在其他地方使用之前(例如在SQL查询中)进行过滤。 getVar method on the JRequest class automatically filters out the input (unless explicitly told otherwise). JRequest类上的getVar方法自动过滤掉输入(除非另有明确说明)。
You can also use quote to escape strings before inserting to database 您还可以在插入数据库之前使用引号对字符串进行转义
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.