防止SQL注入

时间:2011-08-31 10:58:44

标签: php mysql forms sql-injection

  

可能重复:
  Best way to stop SQL Injection in PHP
  In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

昨天我问了一个关于脚本无效的问题,而我最终自己解决了这个问题。有人谈论SQL注入风险。

所以我今天要问的是,使用下面插入的代码,如何防止SQL注入?

所以任何指导建议。我知道我可以在互联网上阅读关于SQL注入的信息,但是有很多相互矛盾的文章,我不知道哪个是正确的。

这是代码,这是全部放在它自己的页面中,然后说'form-process.php',然后表单将数据提交到例如

<?
session_start(); 

$_SESSION['Title'] = stripslashes($_REQUEST['Title']); 
$_SESSION['ShortTitle'] = stripslashes($_REQUEST['Title']); 
$_SESSION['Category'] = stripslashes($_REQUEST['Category']); 
$_SESSION['Story'] = stripslashes($_REQUEST['Story']);
$_SESSION['FrontPage'] = stripslashes($_REQUEST['FrontPage']);
$_SESSION['imagefilename'] = ($_FILES['image']['name']); 

if (empty($_REQUEST['Title'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=0"); 
exit; 
} elseif (empty($_REQUEST['ShortTitle'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=1"); 
exit; 
} elseif (strlen($_REQUEST['Category']) < 1) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=2"); 
exit;
} elseif (empty($_REQUEST['Story'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=3"); 
exit;  
} else { 

include("settings.php"); 
include("dbconnect.php"); 

if($_POST['btnSubmit'] == 'Publish'){
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(y) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 1");

    header("Location: /cms/matchreports/index.php?message=4");  
    exit;

} else {

$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];    
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 2");

    header("Location: /cms/matchreports/index.php?message=5");  
    exit;}}

if($_POST['btnSubmit'] == 'Save draft'){
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Saving Draft 1");

    header("Location: /cms/matchreports/index.php?message=6");  
    exit;

} else {

$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];    
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Saving Draft 2");

    header("Location: /cms/matchreports/index.php?message=7");  
    exit;}}

if($_POST['btnSubmit'] == 'Publish changes'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=8");
exit;}

if($_POST['btnSubmit'] == 'Publish draft to website'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=9");
exit;}

if($_POST['btnSubmit'] == 'Save changes to draft'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST            ['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . n . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=10");
exit;}

}?>

3 个答案:

答案 0 :(得分:6)

使用PDO和prepared statements

答案 1 :(得分:4)

我想申请的简单通用规则是:

始终将数据保存为原始数据,并在需要时将其转义为适当的应用程序。

这意味着,摆脱模糊的stripslashes()和:

  • 对于SQL语句中的 string 值,使用数据库的相应转义函数,例如: mysqli_real_escape_string()

  • 对于system() - 类型的命令名称,使用escapeshellcmd(),对于参数使用escapeshellarg()

  • 手动汇编GET请求网址,使用urlencode(),最后

  • 要在HTML结构中打印内容,请使用htmlentities()

盲目地使用某种破坏并希望它能过滤掉不好的东西是毫无意义的。要意识到你在做什么,并在每一步都做适当的事情。

示例:要使用用户提供的GET参数打印链接,您需要

print("<a href='" . htmlentities($BASEURL . "?data=" . urlencode($untrusted)) . "'>click</a>");

重要提示:对于SQL查询,通常最好使用预处理语句,而不是手动构建查询。这是一种与您习惯的技术不同的技术,因此不是直接的“我如何解决这个问题”的答案,但它是迄今为止更好的解决方案。

答案 2 :(得分:0)

我强烈建议this article一般是逃避(谷歌翻译为捷克语)

相关问题
最新问题