这个脚本是否足够安全sql注入?或者是否有可能更有效地改进它? 因为我将在公共场合使用它并且不知道这条线 “mysql_real_escape_string($ _ GET [ 'USER_ID']);”或许可以更多地改进它。
<?
$id = mysql_real_escape_string($_GET['id']);
if ($id == 1)
{
$userinfo['user_id'] = mysql_real_escape_string($_GET['user_id']);
$info = $db->fetchArray("SELECT points FROM ". PREFIX ."list WHERE user_id = '{$userinfo['user_id']}'");
if (!empty($info))
{
$user_rank = UserRank($userinfo['user_id']);
header('Content-type: image/png');
$points = $info['server_points'];
$line = "empty";
$nr = "Number";
$font = 3;
$font2 = 2;
$width = ImageFontWidth($font)* strlen($nr) ;
$width2 = ImageFontWidth($font)* strlen($points);
$height = ImageFontHeight($font);
$im = ImageCreateFrompng(SYS_USER .'/banner.png');
$points_text_color = imagecolorallocate($im, 225, 100, 112);
$nr_text_color = imagecolorallocate ($im, 217, 153, 101);
$line_color = imagecolorallocate ($im, 100, 123, 134);
imagestring ($im, $font, 40, 18, $points, $points_text_color);
imagestring ($im, $font2, 40, 11, $line, $line_color);
imagestring ($im, $font2, 40, 4, $nr, $nr_text_color);
imagestring ($im, $font, 60, 4, $user_rank, $nr_text_color);
imagepng($im);
}
}
答案 0 :(得分:2)
$id使用函数is_numeric():
if(is_numeric($id)) { // if id not numeric -> false else -> true
...
}
答案 1 :(得分:1)
在与sql变量交互时,我会认真考虑使用bind_param。您的代码是来自许多不同地方的字符串的一个很好的例子,可能已经受到危害。 bind_param强制说你传入的字符串中没有注入攻击。如果有什么事情,至少可以让你足够安心,不用担心这个问题。
示例:
$name = "Robert ') DROP TABLE Students;"; //see: http://xkcd.com/327/
$conn = new mysqli(DB_SERVER, DB_USER, DB_PASSWORD, DB_NAME) or
die('There was a problem connecting to the database.');
$query = "SELECT id FROM Users WHERE name=?";
if ($stmt = $conn->prepare($query)) {
$stmt->bind_param('s', $name);
$stmt->execute();
$stmt->bind_result($result);
while ($stmt->fetch()) {
echo $result;
}
$stmt->close();
}