我可以避免SQL注入吗? [英] Am I safe from SQL-injections?
本文介绍了我可以避免SQL注入吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我使用一个简单的cms作为我网站的后端,在那里我可以更新新闻等.我想对SQL注入安全,所以我想知道这段代码是否被认为是安全的,或者是否可以做些什么使它更安全:
I'm using a simple cms as backend to my website where I'm able to update news and such. I want to be safe from SQL-injections, so I'm wondering if this code is considered to be safe or if there's something I can do to make it safer:
if($_POST) {
if(isset($_POST['title']) and (isset($_POST['content']) and ($_POST['added']))) {
$title = "'".mysql_real_escape_string($_POST['title'])."'";
$content = "'".mysql_real_escape_string($_POST['content'])."'";
$added = "'".mysql_real_escape_string($_POST['added'])."'";
if(isset($_POST['id']) && $_POST['id']!=''){
$result = mysql_query("UPDATE news SET title = ".$title.", added =".$added.", content = ".$content." WHERE id = ".$_POST['id']);
$msg = "News Updated Successfully";
}else{
$result = mysql_query("INSERT INTO news (title, content, added) values($title, $content, $added)") or die("err0r");
$msg = "News Added Successfully";
}
}
谢谢,祝你有美好的一天!
Thanks and have a great day!
推荐答案
您没有对$_POST['id']
进行消毒.
在其上执行intval()
,或者,如果ID不是整数(假设ID是int
字段),则(最好)完全拒绝处理.
Do an intval()
on it, or (better) refuse processing altogether if the ID is not an integer (assuming ID is an int
field).
if (!is_numeric($_POST['id'])
die ("Invalid ID");
这篇关于我可以避免SQL注入吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文