这个MySQL查询如何容易受到SQL注入的攻击? [英] How is this MySQL query vulnerable to SQL injection?

问题描述

在评论上一个问题时，有人说以下sql语句使我可以进行sql注入:

In a comment on a previous question, someone said that the following sql statement opens me up to sql injection:

select
    ss.*,
    se.name as engine,
    ss.last_run_at + interval ss.refresh_frequency day as next_run_at,
    se.logo_name    
from 
    searches ss join search_engines se on ss.engine_id = se.id
where
    ss.user_id='.$user_id.'
group by ss.id
order by ss.project_id, ss.domain, ss.keywords

假设$userid变量正确地进行了转义，这如何使我变得脆弱，我该如何解决?

Assuming that the $userid variable is properly escaped, how does this make me vulnerable, and what can I do to fix it?

推荐答案

假设已正确转义，它不会使您容易受到攻击.事实是，正确地转义比乍看起来要难，并且每次这样的查询时，您都谴责自己可以正确地转义.如果可能，请避免所有麻烦，并使用准备好的语句(或绑定的参数或参数化查询).这样做的目的是允许数据访问库正确地转义值.

Assuming it is properly escaped, it doesn't make you vulnerable. The thing is that escaping properly is harder than it looks at first sight, and you condemn yourself to escape properly every time you do a query like that. If possible, avoid all that trouble and use prepared statements (or binded parameters or parameterized queries). The idea is to allow the data access library to escape values properly.

例如，在PHP中，使用 mysqli :

For example, in PHP, using mysqli:

$db_connection = new mysqli("localhost", "user", "pass", "db");
$statement = $db_connection->prepare("SELECT thing FROM stuff WHERE id = ?");
$statement->bind_param("i", $user_id); //$user_id is an integer which goes 
                                       //in place of ?
$statement->execute();

这篇关于这个MySQL查询如何容易受到SQL注入的攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！