问题描述
我读过各种渠道,但我不能确定如何实现他们到我的code。我在想,如果有人可以用它给我一个快速的手吗?有一次,我已经展示了如何在我的code做一次我就可以把它捡起来,我认为!这是一个AJAX自动完成我发现在网络上,尽管我看到的东西,用它做是容易受到SQL注入,由于'%$查询字符串%'的东西?任何帮助真的AP preciated!
如果(使用isset($ _ POST ['查询字符串']))
{
$查询字符串= $ _ POST ['查询字符串'];
如果(strlen的($查询字符串)大于0)
{
$查询=选择GAME_TITLE,game_id从游戏中GAME_TITLE LIKE'%$查询字符串%'|| ALT LIKE'%$查询字符串%'LIMIT 10;
$结果= mysql_query($查询,$分贝)或死亡(有在数据库中的错误,请联系support@laglessfrag.com);
而($行= mysql_fetch_array($结果))
{
$ game_id = $行['game_id'];
回声'<李的onClick =补(\''$行['GAME_TITLE']'\',。'$ game_id。');> 。 $行['GAME_TITLE']。 '< /李>';
}
}
}
的注入漏洞是,你传递用户提供的数据直接进入查询而不消毒它。特别是,这条线是有问题的:
$查询字符串= $ _ POST ['查询字符串'];
如果您使用的功能 mysql_real_escape_string()
围绕 $ _ POST ['查询字符串']
,将prevent用户能够插入自己的code。
$查询字符串= mysql_real_escape_string($ _ POST ['查询字符串']);
I've read various sources but I'm unsure how to implement them into my code. I was wondering if somebody could give me a quick hand with it? Once I've been shown how to do it once in my code I'll be able to pick it up I think! This is from an AJAX autocomplete I found on the net, although I saw something to do with it being vulnerable to SQL Injection due to the '%$queryString%' or something? Any help really appreciated!
if ( isset( $_POST['queryString'] ) )
{
$queryString = $_POST['queryString'];
if ( strlen( $queryString ) > 0 )
{
$query = "SELECT game_title, game_id FROM games WHERE game_title LIKE '%$queryString%' || alt LIKE '%$queryString%' LIMIT 10";
$result = mysql_query( $query, $db ) or die( "There is an error in database please contact support@laglessfrag.com" );
while ( $row = mysql_fetch_array( $result ) )
{
$game_id = $row['game_id'];
echo '<li onClick="fill(\'' . $row['game_title'] . '\',' . $game_id . ');">' . $row['game_title'] . '</li>';
}
}
}
The injection vulnerability is that you're passing user supplied data straight into a query without sanitizing it. In particular, this line is problematic:
$queryString = $_POST['queryString'];
If you use the function mysql_real_escape_string()
around $_POST['queryString']
, that will prevent users from being able to insert their own code.
$queryString = mysql_real_escape_string($_POST['queryString']);
这篇关于我怎样才能防止SQL注入这个code?有点糊涂了的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!