本文介绍了防止Joomla中的SQL注入的最佳方法的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我从POST方法中获取变量,并使用Joomla 2.5在MySQL上查询它们.

I take variables from POST method and query them on MySQL with Joomla 2.5.

最安全的方法是什么?目前,我正在将JRequest :: getVar与m​​ysql_real_escape_string一起使用.是对的吗?

What is the most secured method to use ? Currently I'm using JRequest::getVar with mysql_real_escape_string. Is it correct ?

  1. $ _ POST和mysql_real_escape_string

$ password = mysql_real_escape_string($ _ POST ["pwd"]));

$password = mysql_real_escape_string($_POST["pwd"]));

JRequest :: getVar与m​​ysql_real_escape_string

$ password = mysql_real_escape_string(JRequest :: getVar('pwd','','post'));

$password= mysql_real_escape_string(JRequest::getVar('pwd', '', 'post'));

JRequest :: getVar

$ password = JRequest :: getVar('pwd','','post');

$password= JRequest::getVar('pwd', '', 'post');

JInput

$ password = $ jinput-> get('pwd','','STRING');

$password = $jinput->get('pwd', '', 'STRING');

带有mysql_real_escape_string的JInput

$ password = mysql_real_escape_string($ jinput-> get('pwd','','STRING'));

$password = mysql_real_escape_string($jinput->get('pwd', '', 'STRING'));

还有别的吗?

我发现了另一种使用mysql_real_escape_string来转义字符的方法 http://docs.joomla.org/API15:JDatabaseMySQL/getEscaped

I found another method which escape characters using mysql_real_escape_string http://docs.joomla.org/API15:JDatabaseMySQL/getEscaped

这是我的查询代码.

$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select(array('username', 'password', 'state','name'));
$query->from('#__dbusers');
$query->where('username = \''.$loginUsername.'\' AND password = \''.$loginPassword.'\' AND state > -1');
$db->setQuery($query);
$results = $db->loadObjectList();

MySQL的框架11.1 escape()方法

EDIT 2: Framework 11.1 escape() method for MySQL

public function escape($text, $extra = false)
{
    $result = mysql_real_escape_string($text, $this->getConnection());

    if ($extra)
    {
        $result = addcslashes($result, '%_');
    }

    return $result;
}

由于escape()使用mysql_real_escape_string()可以安全地按以下方式使用吗?

Since escape() use mysql_real_escape_string() Will it be safe to use as below ?

$ loginUsername = mysql_real_escape_string(JRequest :: getVar('user','','post','STRING'));

$loginUsername = mysql_real_escape_string(JRequest::getVar('user', '', 'post','STRING'));

推荐答案

在Joomla!中,您从不直接访问任何超全局变量.另外,您应始终区分传入和传出的数据.因此,要从请求中获取传入值,请使用

In Joomla!, you never directly access any of the superglobals. Also, you should alway distinguish incoming and outcoming data. Thus, to get the incoming value from the request, use

$password = $jinput->get('pwd', '', 'STRING');

(JInput是正确的选择;不推荐使用JRequest,以后将其删除.)现在,您可以使用一个干净的价值.准备使用PHP进行处理.

(JInput is the right choice; JRequest is deprecated and will be removed in the future.)Now you have a clean value to work with. It is prepared to be handled with PHP.

接下来的事情是在SQL查询中使用该值(传出),您必须正确地对其进行转义.

The next thing is to use the value in an SQL query (outgoing), you have to escape it properly.

$query->where("username = " . $db->quote($loginUsername) . " AND password = " . $db->quote($loginPassword) . " AND state > -1");

$db->quote()$db->escape()有所不同,$db->quote()添加了基础数据库引擎所需的引号.

In difference to $db->escape(), $db->quote() adds the quotes required by the underlying database engine.

好吧,您可能在某个时候想要另一种类型的输出,例如.在视图中(即使 password 对于本示例而言并非最佳选择,我还是出于一致性考虑使用它):

Well, you might at some point want another type of output, eg. within a view (even if password is not best for this example, I use it for consistency):

echo $this->escape($password); // applies html_specialchars in HTML views

因此,优良作法总是始终使逃逸尽可能地靠近需要的地方.对于传入数据,它紧接在检索之后;对于传出数据,紧接在发送/打印之前.

Therefor it is good practice always to keep escaping as close at possible to where it is needed. For incoming data this is immediately after the retrieval, for outgoing data immediately before sending/printing.

这篇关于防止Joomla中的SQL注入的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-06 01:30