这是否可以停止sql注入 [英] Does this work to stop sql injections

问题描述

我一直在使用下面的代码块来停止sql注入.这是我第一次启动php时(不久之前)有人给我看的

I have been using the block of code below to supposedly stop sql injections. It is something someone showed me when I first started php(which was not that long ago)

我将其放置在每个页面上，就像打开时一样.我想知道它是否有效?我不知道如何测试sql注入

I place it in every page just as shown on the open. I am wondering if it is effective? I do not know how to test for sql injections

<?php

//Start the session

session_start();


//=======================open connection

include ('lib/dbconfig.php');

//===============This stops SQL Injection in POST vars

  foreach ($_POST as $key => $value) {
    $_POST[$key] = mysql_real_escape_string($value);
  }

  foreach ($_GET as $key => $value) {
    $_GET[$key] = mysql_real_escape_string($value);
  }

我典型的插入和更新查询如下所示

My typical insert and update queries look like this

$insert = ("'$email','$pw','$company', '$co_description', '$categroy', '$url', '$street', '$suite', '$city', '$state', '$zip', '$phone', '$date', '$actkey'");

mysql_query("INSERT INTO provider (email, pw, company, co_description, category, url, street, suite, city, state, zip, phone, regdate, actkey) VALUES ($insert)") or die ('error ' . mysql_error());

mysql_query("UPDATE coupon SET head='$_POST[head]', fineprint='$_POST[fineprint]', exdate='$exdate', creationdate=NOW() WHERE id='$cid'") or die ('error ' . mysql_error());

推荐答案

这还不够. 1.您缺少Cookie，$ _ COOKIE变量. 2.如果您使用$ _REQUEST，则会遇到麻烦. 3.您没有显示查询，在对每个变量进行查询时，必须用单引号''括起来(尤其是在数据被假定为整数的情况下，尤其是在这种情况下，您可能认为不需要使用引号，但这将是一个很大的错误). 4.查询中使用的数据可能来自其他来源.

This is not enough. 1. You're missing cookies, $_COOKIE variable. 2. If you use $_REQUEST you're in trouble. 3. You didn't show your queries, you must enquote each variable with single quotes '' when you put it into query (especiall when the data is supposted to be an integer and you might think that quote is not necessary in that case, but that would be a big mistake). 4. Data used in your query could come from other source.

最好的方法是使用数据绑定并使驱动程序自动转义数据，这在PDO扩展中可用.

The best way is to use data binding and have the data escaped automatically by the driver, this is available in PDO extension.

示例代码:

$PDO = new PDO('mysql:dbname=testdb;host=127.0.0.1' $user, $password);
$stmt = $PDO->prepare("SELECT * FROM test WHERE id=? AND cat=?");
$stmt->execute(array($_GET["id"], $_GET["cat"]));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);

您还可以使用字符串键来绑定数据:

You can also bind data using string keys:

$stmt = $PDO->prepare("SELECT * FROM test WHERE id = :id AND cat = :cat");
$stmt->execute(array(":id" => $_GET["id"], ":cat" => $_GET["cat"]));

如果您想学习PDO，您可能会发现我使用的这些辅助功能很有用:

If you want to learn PDO, you might find useful these helper functions I use:

http://www.gosu.pl/var/PDO.txt

PDO_Connect(dsn, user, passwd) - connects and sets error handling.
PDO_Execute(query [, params]) - only execute query, do not fetch any data.
PDO_InsertId() - last insert id.

PDO_FetchOne(query [, params]) - fetch 1 value, $count = PDO_FetchOne("SELECT COUNT(*) ..");
PDO_FetchRow(query [, params]) - fetch 1 row.
PDO_FetchAll(query [, params]) - fetch all rows.
PDO_FetchAssoc(query [, params]) - returns an associative array, when you need 1 or 2 cols

1) $names = PDO_FetchAssoc("SELECT name FROM table");
the returned array is: array(name, name, ...)

2) $assoc = PDO_FetchAssoc("SELECT id, name FROM table")
the returned array is: array(id=> name, id=>name, ...)

3) $assoc = PDO_FetchAssoc("SELECT id, name, other FROM table");
the returned array is: array(id=> array(id=>'',name=>'',other=>''), id=>array(..), ..)

每个获取数据的函数都接受作为第二个参数参数数组(可选)，用于对sql注入进行自动数据绑定.这篇文章的前面已经介绍了它的使用.

Each of functions that fetch data accept as 2nd argument parameters array (which is optional), used for automatic data binding against sql injections. Use of it has been presented earlier in this post.

这篇关于这是否可以停止sql注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！