如果使用下拉菜单,是否必须防止SQL注入? [英] Do I have to guard against SQL injection if I used a dropdown?
问题描述
我知道您绝不应该信任表单中的用户输入,这主要是由于有注入SQL的机会.
I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection.
但是,这也适用于唯一输入来自下拉菜单的表单吗?(见下文)?
However, does this also apply to a form where the only input is from a dropdown(s) (see below)?
我将$_POST['size']
保存到一个Session中,然后在整个站点中使用它来查询各种数据库(使用mysqli
Select查询),任何SQL注入肯定会损害(可能会删除)它们.
I'm saving the $_POST['size']
to a Session which is then used throughout the site to query the various databases (with a mysqli
Select query) and any SQL injection would definitely harm (possibly drop) them.
没有类型可供用户输入的区域来查询数据库,只有下拉列表.
There is no area for typed user input to query the databases, only dropdown(s).
<form action="welcome.php" method="post">
<select name="size">
<option value="All">Select Size</option>
<option value="Large">Large</option>
<option value="Medium">Medium</option>
<option value="Small">Small</option>
</select>
<input type="submit">
</form>
推荐答案
您可以执行以下示例中的简单操作,以确保发布的大小符合您的期望.
You could do something as simple as the following example to make sure the posted size is what you expect.
$possibleOptions = array('All', 'Large', 'Medium', 'Small');
if(in_array($_POST['size'], $possibleOptions)) {
// Expected
} else {
// Not Expected
}
如果要使用的PHP> = 5.3.0版本,请使用mysqli_ *来保存结果.如果正确使用,将有助于SQL注入.
Then use mysqli_* if you are using a version of php >= 5.3.0 which you should be, to save your result. If used correctly this will help with sql injection.
这篇关于如果使用下拉菜单,是否必须防止SQL注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!