GET参数容易受到SQL注入-PHP [英] GET parameters vulnerable to SQL Injection - PHP

问题描述

我被要求处理另一个程序员设置的站点的安全性问题.到目前为止，我还没有看到任何代码，因此在这一点上我不做任何假设，而是希望涵盖基础知识.托管网站的组进行了安全检查，发现他们的代码容易受到SQL注入的攻击.

I've been asked to handle a security issue for a site which was set up by another programmer. As of yet, I haven't seen any of the code, so I'm going off of assumptions at this point and I want to cover my bases. The group hosting the site ran a security check and found that they had code vulnerable to SQL injection.

示例:www.example.com/code.php?pid=2&ID=35(GET参数ID容易受到SQL注入的攻击)

Example: www.example.com/code.php?pid=2&ID=35 (GET parameter ID is vulnerable to SQL Injection)

现在，因为我是新手，所以我已经解释说我可以通过主机解决问题，但是仍然需要由对安全性有更深入了解的人员来查看其站点.

Now, because I'm a novice, I've explained that I can likely resolve the issue with the host, but their site would still need to be looked over by someone who has a deeper knowledge of security.

因此，为了照顾潜在的SQL注入(并且无需查看代码)，我将使用mysql_real_escape_string:

So, to take care of potential SQL Injections (and without seeing the code), I would use mysql_real_escape_string:

$query = sprintf("SELECT * FROM table WHERE pid='%s' AND ID='%s'",
            mysql_real_escape_string($pid),
            mysql_real_escape_string($id));

此外，我会考虑mysqli_real_escape_string和准备好的语句，但是我不知道它们是如何配置的.但是mysql_real_escape_string会处理潜在的SQL注入吗?

Additionally, I would consider mysqli_real_escape_string and prepared statements, but I don't know how they're configured. But would mysql_real_escape_string take care of potential SQL Injection?

推荐答案

如果可以并使用PDO，请跳过旧的mysql_*内容.

Skip the old mysql_* stuff if you can and use PDO.

$pdo = new PDO('mysql:host=localhost;dbname=whatever', $username, $password);

$statement = $pdo->prepare('SELECT * FROM table WHERE pid=:pid AND ID=:id');

$statement->bindParam(':pid', $_GET['pid']);

$statement->bindParam(':id', $_GET['id']);

$results = $statement->execute();

var_dump($results->fetchAll());

这篇关于GET参数容易受到SQL注入-PHP的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！