防止Joomla中的SQL注入的最佳方法 [英] Best way to prevent SQL injections in Joomla
问题描述
我从POST方法中获取变量,并使用Joomla 2.5在MySQL上查询它们.
I take variables from POST method and query them on MySQL with Joomla 2.5.
最安全的方法是什么?目前,我正在将JRequest :: getVar与mysql_real_escape_string一起使用.是对的吗?
What is the most secured method to use ? Currently I'm using JRequest::getVar with mysql_real_escape_string. Is it correct ?
-
$ _ POST和mysql_real_escape_string
$ password = mysql_real_escape_string($ _ POST ["pwd"]));
$password = mysql_real_escape_string($_POST["pwd"]));
JRequest :: getVar与mysql_real_escape_string
$ password = mysql_real_escape_string(JRequest :: getVar('pwd','','post'));
$password= mysql_real_escape_string(JRequest::getVar('pwd', '', 'post'));
JRequest :: getVar
$ password = JRequest :: getVar('pwd','','post');
$password= JRequest::getVar('pwd', '', 'post');
JInput
$ password = $ jinput-> get('pwd','','STRING');
$password = $jinput->get('pwd', '', 'STRING');
带有mysql_real_escape_string的JInput
$ password = mysql_real_escape_string($ jinput-> get('pwd','','STRING'));
$password = mysql_real_escape_string($jinput->get('pwd', '', 'STRING'));
还有别的吗?
我发现了另一种使用mysql_real_escape_string来转义字符的方法 http://docs.joomla.org/API15:JDatabaseMySQL/getEscaped
I found another method which escape characters using mysql_real_escape_string http://docs.joomla.org/API15:JDatabaseMySQL/getEscaped
这是我的查询代码.
$db = JFactory::getDbo();
$query = $db->getQuery(true);
$query->select(array('username', 'password', 'state','name'));
$query->from('#__dbusers');
$query->where('username = \''.$loginUsername.'\' AND password = \''.$loginPassword.'\' AND state > -1');
$db->setQuery($query);
$results = $db->loadObjectList();
MySQL的框架11.1 escape()方法
EDIT 2: Framework 11.1 escape() method for MySQL
public function escape($text, $extra = false)
{
$result = mysql_real_escape_string($text, $this->getConnection());
if ($extra)
{
$result = addcslashes($result, '%_');
}
return $result;
}
由于escape()使用mysql_real_escape_string()可以安全地按以下方式使用吗?
Since escape() use mysql_real_escape_string() Will it be safe to use as below ?
$ loginUsername = mysql_real_escape_string(JRequest :: getVar('user','','post','STRING'));
$loginUsername = mysql_real_escape_string(JRequest::getVar('user', '', 'post','STRING'));
推荐答案
在Joomla!中,您从不直接访问任何超全局变量.另外,您应始终区分传入和传出的数据.因此,要从请求中获取传入值,请使用
In Joomla!, you never directly access any of the superglobals. Also, you should alway distinguish incoming and outcoming data. Thus, to get the incoming value from the request, use
$password = $jinput->get('pwd', '', 'STRING');
(JInput是正确的选择;不推荐使用JRequest,以后将其删除.)
现在,您可以使用一个干净的价值.准备使用PHP进行处理.
(JInput is the right choice; JRequest is deprecated and will be removed in the future.)
Now you have a clean value to work with. It is prepared to be handled with PHP.
接下来的事情是在SQL查询中使用该值(传出),您必须正确地对其进行转义.
The next thing is to use the value in an SQL query (outgoing), you have to escape it properly.
$query->where("username = " . $db->quote($loginUsername) . " AND password = " . $db->quote($loginPassword) . " AND state > -1");
$db->quote()与$db->escape()有所不同,$db->quote()添加了基础数据库引擎所需的引号.
In difference to $db->escape(), $db->quote() adds the quotes required by the underlying database engine.
好吧,您可能在某个时候想要另一种类型的输出,例如.在视图中(即使 password 对于本示例而言并非最佳选择,我还是出于一致性考虑使用它):
Well, you might at some point want another type of output, eg. within a view (even if password is not best for this example, I use it for consistency):
echo $this->escape($password); // applies html_specialchars in HTML views
因此,优良作法总是始终使逃逸尽可能地靠近需要的地方.对于传入数据,它紧接在检索之后;对于传出数据,紧接在发送/打印之前.
Therefor it is good practice always to keep escaping as close at possible to where it is needed. For incoming data this is immediately after the retrieval, for outgoing data immediately before sending/printing.
这篇关于防止Joomla中的SQL注入的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
