如何使用CakePHP防止参数中的SQL注入 [英] How to prevent SQL Injection in parameters with CakePHP
问题描述
当使用从用户输入接收的参数时,如何防止在从数据库中获取数据时进行SQL注入:
if(isset($ _ GET ['cityval'])&& $ _GET ['cityval']!=''){$ city = $ this->请求-> query('cityval');$ searching.=和($ city)中的college_city";} 别的 {$ searching.=";}if(isset($ _ GET ['scholarship'])&& $ _GET ['scholarship']!=''){$ searching.="and college_scholarship ='".$ _ GET ['scholarship'].";} 别的 {$ searching.=";} 我的主要查询在下面
$ search = $ this-> Search-> query("select * from colleges College_id!=''and status ='active'$ search order by $ order desc limit $ start,10"); 开始真正使用框架,或者根本不使用框架.您未使用请求对象,而是不使用ORM,您正在针对框架进行工作.从代码中可以很明显地看出,您不必花时间阅读手册.
wcomnisky的答案有很多不需要的代码,也不是按预期的方式使用框架的答案.
如果您关心创建一些编写良好的代码,那么您真的应该从做官方文档的博客教程开始 book.cakephp.org .如果不停止阅读,请按照wcomniskys的建议去做.它可能有效,但是它不是好的代码,也不是使用框架的正确方法,也不是最简单的解决方案.如果您对做正确的事不感兴趣,可以立即停止阅读.
您尝试做的显然是通过get参数进行搜索.有一个很棒的插件,非常容易 https://github.com/FriendsOfCake/search
使用插件实际上可能就这么简单:
$ query = $ this->学院-> find('搜索',['搜索'=>$ this->请求->查询]);$ this-> set('results,$ this-> Paginator-> paginate($ query)); 搜索参数本身将在模型层中处理,请查看插件文档.该框架将负责清理输入.
以上内容要求您实际上了解框架的最基础知识,并且了解您的工作.如果出于某种原因对不使用框架提供的内容不感兴趣,那么最好不要使用它们,因为这只会堆积无法维护的代码并造成开销.
How to prevent SQL Injection while fetching data from the database when using parameters received from the user input:
if(isset($_GET['cityval']) && $_GET['cityval'] !=''){
$city = $this->request->query('cityval');
$searching .= " and college_city in ($city) ";
} else {
$searching .= "";
}
if(isset($_GET['scholarship']) && $_GET['scholarship'] !=''){
$searching .= " and college_scholarship = '".$_GET['scholarship']."' ";
} else {
$searching .= "";
}
And my main query is below
$search = $this->Search->query("select * from colleges where college_id!='' and status='active' $searching order by $order desc limit $start, 10 ");
Start actually using the framework or don't use it at all. You're not using the request object, you're not using the ORM, you're working against and around the framework. From your code it is totally clear that you haven't bothered to spend some time reading the manual.
wcomniskys answer has a ton of not required code nor is this answer using the framework in it's intended way either.
If you care about creating some well written code then you really should start by doing the blog tutorial of the official documentation book.cakephp.org. If not stop reading and do what wcomniskys proposes. It might work but it's not good code nor the correct way to use the framework nor is it the most simple solution. If you don't have an interest in doing things properly you can stop reading by now.
What you try to do is obviously to search by get parameters. There is a wonderful plugin that makes it pretty easy https://github.com/FriendsOfCake/search
It could be actually that easy with the plugin:
$query = $this->Colleges->find('search', [
'search' => $this->request->query
]);
$this->set('results', $this->Paginator->paginate($query));
The search params itself will be handled in the model layer, check the plugins documentation on that. And the framework will take care of sanitizing the input.
The above requires that you actually understood the very basics of the framework and that you know what you do. If you have no interest for whatever reason to not use what the framework offers you it will be better to not use it at all because you'll just pile up unmaintainable code and cause overhead.
这篇关于如何使用CakePHP防止参数中的SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
