我可以避免SQL注入吗? [英] Am I safe from SQL-injections?

问题描述

我使用一个简单的cms作为我网站的后端，在那里我可以更新新闻等.我想对SQL注入安全，所以我想知道这段代码是否被认为是安全的，或者是否可以做些什么使它更安全:

I'm using a simple cms as backend to my website where I'm able to update news and such. I want to be safe from SQL-injections, so I'm wondering if this code is considered to be safe or if there's something I can do to make it safer:

if($_POST) {
    if(isset($_POST['title']) and (isset($_POST['content']) and     ($_POST['added']))) {
        $title = "'".mysql_real_escape_string($_POST['title'])."'";
        $content = "'".mysql_real_escape_string($_POST['content'])."'";
        $added = "'".mysql_real_escape_string($_POST['added'])."'";

        if(isset($_POST['id']) && $_POST['id']!=''){
            $result = mysql_query("UPDATE news SET title = ".$title.",     added =".$added.", content = ".$content."  WHERE id = ".$_POST['id']);
            $msg = "News Updated Successfully";
        }else{
            $result = mysql_query("INSERT INTO news (title, content, added) values($title, $content, $added)") or die("err0r");
            $msg = "News Added Successfully";
        }
    }

谢谢，祝你有美好的一天！

Thanks and have a great day!

推荐答案

您没有对$_POST['id']进行消毒.

在其上执行intval()，或者，如果ID不是整数(假设ID是int字段)，则(最好)完全拒绝处理.

Do an intval() on it, or (better) refuse processing altogether if the ID is not an integer (assuming ID is an int field).

if (!is_numeric($_POST['id'])
 die ("Invalid ID");

这篇关于我可以避免SQL注入吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！