防止SQL注入-PDO,mysqli [英] Secure against SQL Injection - PDO, mysqli
问题描述
可能重复:
防止PHP中的SQL注入的最佳方法
Possible Duplicate:
Best way to prevent SQL Injection in PHP
我刚刚发现我的网站很糟糕.
I just found that my website is vunerable.
由于它已连接到数据库,并具有以下功能:注册,更改密码,通知等...,并且假定它完全脆弱.
Since it's connected to a DB and have functions like: Register, Change Password, Notices, etc... and SUPOSING it's fully vulnerable.
我应该在代码中寻找什么以使其变得安全?
What should I look for into the code in order to start making it safe?
我的意思是,我做了一些研究,到处都有,每个人对安全性的看法都不尽相同.
I mean, I did some researches and everywhere, everyone says different things about security.
使用PDO."
"Use PDO."
使用mysql_real_escape_string."
"Use mysql_real_escape_string."
使用加号."
我应该寻找什么?
"$_POST" and "$_GET" variables??
"$_SESSION" variables?
SQL查询?
$sql = "select * from user";
$sql = "update user set user="new_user_name";
$sql = "insert into user (user) values ('userid')";
在每种情况下我该怎么办? 拜托,帮我知道我该去什么地方和去哪里.
What should I do in each case? Please, help me to know what and where I must go.
谢谢.
推荐答案
以下是制作安全php应用程序要考虑的重点.
Following are the points to be considered for making safe php application.
- 使用PDO或mysqli
- 从不信任任何输入.考虑每个变量,即$ _POST,$ _ GET,$ _ COOKIE,$ _ SESSION,$ _ SERVER,就好像它们已被污染一样.对这些变量使用适当的过滤措施.
- 为避免XSS攻击,请使用php的内置函数htmlentities, 将用户输入数据插入 数据库.
- 禁用PHP.INI中的全局寄存器
- 在PHP.INI中禁用"allow_url_fopen"
- 不允许用户输入超出要求的数据.验证输入到 允许最大字符数.还要验证每个字段的 相关数据类型.
- 在开发期之后禁用错误报告.它可能会给 有关数据库的信息,这些信息将对黑客有用.
- 发布表单时使用一次令牌.如果令牌存在并且匹配 表单发布有效,否则无效.
- 使用参数化的数据库查询
- 使用存储过程
- USE PDO or mysqli
- Never trust any inputs. Consider every variable viz $_POST, $_GET, $_COOKIE, $_SESSION, $_SERVER as if they were tainted. Use appropriate filtering measure for these variables.
- To avoid XSS attack use php’s builtin functions htmlentities, strip_tags, etc while inserting the user input data into the database.
- Disable Register Globals in PHP.INI
- Disable "allow_url_fopen" in PHP.INI
- Don’t allow user to input more data than required. Validate input to allow max number of characters. Also validate each field for relevant datatypes.
- Disable error reporting after Development period. It might give information about database that’ll be useful to hackers.
- Use one time token while posting a form. If token exist and matches the form post is valid otherwise invalid.
- Use parametrized database queries
- Use stored procedures
您可以通过Google搜索每个点以获取更多详细信息. 希望这会有所帮助
You can google for each point for more details. HOpe this helps
这篇关于防止SQL注入-PDO,mysqli的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
