[英]Is this form using radio buttons safe from SQL Injection?
我正在嘗試在我的網站上創建動態搜索功能,用戶可以選擇根據 ID、Make、Model 或日期查找索賠信息。 有一個搜索欄可以輸入數據,單選按鈕提供搜索過濾器。
我想知道我的簡單 if 語句方法是否存在 SQL 注入的漏洞,因為我直接將變量作為列名傳遞(據我所知,PDO 不會讓你將此值作為參數傳遞)
HTML 代碼:
<form method="POST" action="find-claims.php">
<label for="find-claim">Find Claim:</label>
<input type="search" id="claim-search-bar" name="claim-search-bar"><br/>
<input type="radio" value="by-id" class="radio-param" name="search-param" checked><label for="by-id">By Claim Id</label>
<input type="radio" value="by-make" class="radio-param" name="search-param"><label for="by-make">By Vehicle Make</label>
<input type="radio" value="by-model" class="radio-param" name="search-param"><label for="by-model">By Vehicle Model</label>
<input type="radio" value="by-date" class="radio-param" name="search-param"><label for="by-date">By Claim Date</label>
<input type="submit" class="radio-param" value="Submit">
</form>
PHP 代碼:
// Get search data
$searchVal = $_POST["claim-search-bar"];
// Get radio value
$searchType = $_POST["search-param"];
// Store search type into db-naming scheme
$radioVal = "";
if($searchType == "by-id"){
$radioVal = "claim_id";
}
else if($searchType == "by-make"){
$radioVal = "make";
}
else if($searchType == "by-model"){
$radioVal = "model";
}
else if($searchType == "by-date"){
$radioVal = "date_received";
}
// DB Interaction
try{
// Connection to DB
require "../db-info.php";
$dbh = new PDO("mysql:host=$serverName; dbname=$dbName", $userName, $password);
$dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
// Get Claim based off dynamic input
$getClaim = $dbh->prepare("SELECT * FROM claims WHERE $radioVal = ?");
$getClaim->bindParam(1, $searchVal);
$getClaim->execute();
$claimInfo = $getClaim->fetchAll();
// Checks if DB returned any data
if($claimInfo){
// Display corresponding info
}
else{
echo "sorry no claim found";
}
$dbh = null;
$stmt = null;
} catch(PDOException $e){
throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
您可以將搜索值存儲在數組中。 除了刪除無用的 try-catch 外,它還會使您的代碼膨脹兩倍。
// Get search data
$searchVal = $_POST["claim-search-bar"];
// Get radio value
$searchType = $_POST["search-param"];
// Store search type into db-naming scheme
$searchValues = [
"by-id" => "claim_id",
"by-make" => "make",
"by-model" => "model",
"by-date") => "date_received",
];
$radioVal = $searchValues[$searchType] ?? "claim_id";
// Connection to DB
require "../db-info.php";
// the connection code should really go into include
// Get Claim based off dynamic input
$getClaim = $dbh->prepare("SELECT * FROM claims WHERE $radioVal = ?");
$getClaim->execute([$searchVal]);
$claimInfo = $getClaim->fetchAll();
// Checks if DB returned any data
if($claimInfo){
// Display corresponding info
}
else{
echo "sorry no claim found";
}
因為$radioVal
只分配了您在代碼中編寫的文字值,並且從未分配過任何不受信任的內容,所以對於 SQL 注入來說是安全的。
但是,我建議您給它一個比""
更好的默認值。 因為如果$searchType
的任何已知值都不匹配,則$radioVal
將保持為""
並且您將獲得 SQL 語句:
SELECT * FROM claims WHERE = ?
那將是一個語法錯誤。 這不會是由於 SQL 注入,但它不會工作。
順便說一句,您不需要清理$searchVal
。 這就是使用綁定參數的意義,它是在准備好查詢之后綁定的,所以它不能引入 SQL 注入。 是否消毒並不重要。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.