问题描述

我已经做了一些测试，以保护我的网站免受SQL Injection的侵害.我看到有两种方法可以使用户输入转义，添加斜线或更好地使用参数化的sql语句.

Ive been doing a bit of testing to protect my sites from SQL Injection. I see there are a couple of ways of doing so, Escaping my user inputs, adding slashes, or better yet using parameterized sql statements.

我有这个测试代码.

$q=$_GET["q"];
$game = mysql_query("SELECT * FROM `Games` WHERE `id` = '$q'");
$game = mysql_fetch_array($game);

echo "<h4>ID: ".$game[0]."<br /></h4>name: " . $game[1];

然后我尝试了几个SQLi请求，但无法使测试页出错，也没有显示任何额外的数据.

And I tried several SQLi requests and could not get my test page to error, or show any extra data.

但是当我将sql语句代码更改为此(删除$ q周围的单引号)..

But when i changed my sql statement code to this (Removed the single quotes around $q)..

$game = mysql_query("SELECT * FROM `Games` WHERE `id` = $q");

我可以执行简单的SQLi并获得一些结果.

I could perform simple SQLi's and get some results.

因此，仅将我的用户输入括在单引号中就足够了吗?还是我看过更复杂的SQLi技术?

So is just wrapping my user inputs in single quotes good enough? Or have i over looked more complex SQLi techniques?

推荐答案

尝试输入以下内容:

abc' OR id <> '

这将导致以下陈述:

"SELECT * FROM `Games` WHERE `id` = 'abc' OR id <> ''"

这将返回所有游戏，而不是仅返回一个.如果您的页面允许显示整个结果，那么我们肯定会看到太多...

That would return all games instead of only one. If your page allows to show the whole result, then we would definitely see too much...

解决方法是在准备好的语句中使用PDO，至少是mysqli_real_escape_string()函数，然后再将用户输入插入SQL语句中.

The way out is to use PDO with prepared statements, are at least the mysqli_real_escape_string() function before inserting the user input into the SQL statement.

SQL-Injection可以做更多的事情，在最坏的情况下，您甚至可以控制服务器.看看此 SQL注入备忘单

SQL-Injection can do a lot more, in the worst case you can even get control over the server. Have a look at this SQL Injection Cheat Sheet

这篇关于SQL注入保护-单引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！