本文介绍了我怎样才能防止SQL注入这个code?有点糊涂了的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我读过各种渠道,但我不能确定如何实现他们到我的code。我在想,如果有人可以用它给我一个快速的手吗?有一次,我已经展示了如何在我的code做一次我就可以把它捡起来,我认为!这是一个AJAX自动完成我发现在网络上,尽管我看到的东西,用它做是容易受到SQL注入,由于'%$查询字符串%'的东西?任何帮助真的AP preciated!

 如果(使用isset($ _ POST ['查询字符串']))
{
  $查询字符串= $ _ POST ['查询字符串'];
  如果(strlen的($查询字符串)大于0)
  {
    $查询=选择GAME_TITLE,game_id从游戏中GAME_TITLE LIKE'%$查询字符串%'|| ALT LIKE'%$查询字符串%'LIMIT 10;
    $结果= mysql_query($查询,$分贝)或死亡(有在数据库中的错误,请联系support@laglessfrag.com);
    而($行= mysql_fetch_array($结果))
    {
      $ game_id = $行['game_id'];
      回声'<李的onClick =补(\''$行['GAME_TITLE']'\',。'$ game_id。');> 。 $行['GAME_TITLE']。 '< /李>';
    }
  }
}
 

解决方案

的注入漏洞是,你传递用户提供的数据直接进入查询而不消毒它。特别是,这条线是有问题的:

  $查询字符串= $ _ POST ['查询字符串'];
 

如果您使用的功能 mysql_real_escape_string()围绕 $ _ POST ['查询字符串'] ,将prevent用户能够插入自己的code。

  $查询字符串= mysql_real_escape_string($ _ POST ['查询字符串']);
 

I've read various sources but I'm unsure how to implement them into my code. I was wondering if somebody could give me a quick hand with it? Once I've been shown how to do it once in my code I'll be able to pick it up I think! This is from an AJAX autocomplete I found on the net, although I saw something to do with it being vulnerable to SQL Injection due to the '%$queryString%' or something? Any help really appreciated!

if ( isset( $_POST['queryString'] ) )
{
  $queryString = $_POST['queryString'];
  if ( strlen( $queryString ) > 0 )
  {
    $query = "SELECT game_title, game_id FROM games WHERE game_title LIKE '%$queryString%' || alt LIKE '%$queryString%' LIMIT 10";
    $result = mysql_query( $query, $db ) or die( "There is an error in database please contact support@laglessfrag.com" );
    while ( $row = mysql_fetch_array( $result ) )
    {
      $game_id = $row['game_id'];
      echo '<li onClick="fill(\'' . $row['game_title'] . '\',' . $game_id . ');">' . $row['game_title'] . '</li>';
    }
  }
}
解决方案

The injection vulnerability is that you're passing user supplied data straight into a query without sanitizing it. In particular, this line is problematic:

$queryString = $_POST['queryString'];

If you use the function mysql_real_escape_string() around $_POST['queryString'], that will prevent users from being able to insert their own code.

$queryString = mysql_real_escape_string($_POST['queryString']);

这篇关于我怎样才能防止SQL注入这个code?有点糊涂了的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-19 20:04
查看更多