如果使用下拉菜单，是否必须防止SQL注入? [英] Do I have to guard against SQL injection if I used a dropdown?

问题描述

我知道您绝不应该信任表单中的用户输入，这主要是由于有注入SQL的机会.

I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection.

但是，这也适用于唯一输入来自下拉菜单的表单吗?(见下文)?

However, does this also apply to a form where the only input is from a dropdown(s) (see below)?

我将$_POST['size']保存到一个Session中，然后在整个站点中使用它来查询各种数据库(使用mysqli Select查询)，任何SQL注入肯定会损害(可能会删除)它们.

I'm saving the $_POST['size'] to a Session which is then used throughout the site to query the various databases (with a mysqli Select query) and any SQL injection would definitely harm (possibly drop) them.

没有类型可供用户输入的区域来查询数据库，只有下拉列表.

There is no area for typed user input to query the databases, only dropdown(s).

<form action="welcome.php" method="post">
<select name="size">
  <option value="All">Select Size</option> 
  <option value="Large">Large</option>
  <option value="Medium">Medium</option>
  <option value="Small">Small</option>
</select>
<input type="submit">
</form>

推荐答案

您可以执行以下示例中的简单操作，以确保发布的大小符合您的期望.

You could do something as simple as the following example to make sure the posted size is what you expect.

$possibleOptions = array('All', 'Large', 'Medium', 'Small');

if(in_array($_POST['size'], $possibleOptions)) {
    // Expected
} else {
    // Not Expected
}

如果要使用的PHP> = 5.3.0版本，请使用mysqli_ *来保存结果.如果正确使用，将有助于SQL注入.

Then use mysqli_* if you are using a version of php >= 5.3.0 which you should be, to save your result. If used correctly this will help with sql injection.

这篇关于如果使用下拉菜单，是否必须防止SQL注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！