此代码是否可以防止SQL注入?如果没有,我将如何保护该代码免受SQL注入?预先感谢。
error_reporting(E_ALL);
ini_set('display_errors', 1);
$servername = "";
$username = "";
$password = "";
$db_name = "";
// Create connection
$conn = new mysqli($servername, $username, $password, $db_name);
// Check connection
if ($conn->connect_error){
die("Connection failed: " . $conn->connect_error);
}
$id = $_GET['id'];
$id = mysqli_real_escape_string($conn,$id);
$query = "SELECT * FROM `images` WHERE `file_title`='" . $id . "'";
$result = mysqli_query($conn,$query);
while($row = mysqli_fetch_array($result)) {
echo '<video width="100%" class="video" controls>';
echo '<source src="uploads/'.$row['file_name'].'" type="video/mp4">';
echo '</video>';
}
答案 0 :(得分:0)
您始终需要使用参数化查询语法,而不是常规的字符串连接(您现在正在执行)
代替
settings.py
#Contact Form Email
EMAIL_BACKEND = 'django_smtp_ssl.SSLEmailBackend'
EMAIL_USE_SSL = True
EMAIL_HOST = 'cp163173.hpdns.net'
EMAIL_HOST_USER = 'enquiries@oculus-media.co.uk'
EMAIL_HOST_PASSWORD = 'password'
EMAIL_PORT = 465
views.py
from django.core.mail import send_mail, BadHeaderError
from django.http import HttpResponse, HttpResponseRedirect
from django.conf import settings
from django.contrib import messages
from .forms import ContactForm, seoSearch
def contacts(request):
OrderType = request.POST.get('Package')
if request.method =='GET':
form = ContactForm()
else:
form = ContactForm(request.POST)
if form.is_valid():
''' Begin reCAPTCHA validation '''
recaptcha_response = request.POST.get('g-recaptcha-response')
data = {
'secret': settings.GOOGLE_RECAPTCHA_SECRET_KEY,
'response': recaptcha_response
}
r = requests.post('https://www.google.com/recaptcha/api/siteverify', data=data)
result = r.json()
''' End reCAPTCHA validation '''
if result['success']:
subject = 'Web Enquiry'
contactType = form.cleaned_data['contactType']
contactName = form.cleaned_data['contactName']
contactEmail = form.cleaned_data['contactEmail']
contactPhone = form.cleaned_data['contactPhone']
contactStart = form.cleaned_data['contactStart']
contactBudget = form.cleaned_data['contactBudget']
contactCompany = form.cleaned_data['contactCompany']
contactPhone = str(contactPhone)
contactBudget = str(contactBudget)
contactStart = str(contactStart)
formData = "Enquiry Type - " + contactType + "\nContact Name - " + contactName + "\nEmail Address - " + contactEmail + "\nPhone - " + contactPhone + "\nStart Date - " + contactStart + "\nBudget - " + contactBudget + "\nCompany Name - " + contactCompany
try:
send_mail(subject, formData, 'enquiries@oculus-media.co.uk', ['enquiries@oculus-media.co.uk'])
except BadHeaderError:
return HttpResponse('Invalid header found')
return redirect('success')
else:
messages.error(request, 'Invalid reCAPTCHA, Please Try Again')
return redirect('contacts')
else:
form = ContactForm()
return render(request, "contact-us.html", {
'OrderType' : OrderType,
'form' : form,
})
contact_us.html
<form method="POST">
{% csrf_token %}
{% for y in form %}
<li class="row no-gutters g-brd-bottom g-brd-gray-light-v4 g-py-30">
<div class="col-sm-6 g-mb-30 g-mb-0--sm">
<h3 class="h5 mb-0">{{y.label_tag}}</h3>
</div>
<div class="col-sm-6">
{{y}}
</div>
</li>
{% endfor %}
<div class="row justify-content-center">
<div class="g-recaptcha" data-sitekey="6LcOkoUUAAAAANcu-bmkbIbMtlukvZMfKP1lml67"></div>
<input type="hidden" value="{{OrderType}}"/>
<input class="btn btn-block u-btn-black g-brd-primary--hover g-color-primary g-color-main--hover g-bg-main g-bg-primary--hover g-font-weight-600 g-font-size-12 text-uppercase g-px-25 g-py-13" type="submit">
</input>
</div>
</form>
您需要使用
$query = "SELECT * FROM `images` WHERE `file_title`='" . $id . "'";
,您需要相应地添加参数
$query = "SELECT * FROM `images` WHERE `file_title`= @title ";