没有用户交互性我还能获得SQL注入吗 [英] No user interactivity Can I still get SQL Injection

问题描述

我有一些页面仅显示数据库表中的数据，而php页面仅显示它们没有任何按钮，链接，下拉菜单或表单的信息.

I have pages that only display data from DB tables, the php pages only display the information they don't have any buttons, links, drop down menus, or forms.

我使用的是旧版mysql，而不是mysqli或PDO作为语法

Im using the old mysql and not the mysqli or PDO for syntax

我还能得到SQl注入黑客吗?

Can I still get a SQl injection hack?

推荐答案

如果查询独立于请求，则很安全.请注意，这意味着用户非常有创造力.您可能会依赖一些您不了解的用户数据.例如.这样的脚本可能已损坏:

If the query is independent of the request you are safe. Be warned that mean users are very creative. You might have some dependency on user data which you are not aware of. E.g. a script like this might be broken:

$locale = Locale::acceptFromHttp($_SERVER['HTTP_ACCEPT_LANGUAGE']);
$sql = "SELECT * FROM entities WHERE id = 7 and locale = '$locale'";

^{免责声明::我不知道Locale::acceptFromHttp()是否进行了某些验证.让我们假设这篇文章的上下文没有.}

^{Disclaimer: I'm not aware if Locale::acceptFromHttp() does some validation. Let's just assume for the context of this post it doesn't.}

我不想说没有准备好的声明.太棒了，使用它们真的没有伤害.

I don't want to say it's not possible to write safe code without prepared statements. OTOH it really doesn't hurt using them.

这篇关于没有用户交互性我还能获得SQL注入吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！