防止MySQL注入 [英] Prevention against MySQL injection
问题描述
我是php的菜鸟,我很难保护自己的代码免受MySQL注入.我的代码所做的是,它从表单中获取已提交的信息,然后将其插入数据库中.我不知道将保护放在何处.谁能帮帮我吗.非常感谢你.这是我的代码.
I'm a noob in php and i'm having a hard time to protect my code against MySQL injection. What my code does is that it fetches the info that has been submitted from a form and then inserts it into database. I don't know where to put the protection. Can anyon eplease help me. Thank you very much. This is my code`
<?php
$db_host="localhost";
$db_uname="regina_rainier";
$db_pass="rainier1990";
$db_name="regina_testdatabase";
$url = 'home.php';
$con=@mysql_connect($db_host,$db_uname,$db_pass);
// Check connection
if (!$con)
{
echo "<br />";
die('Could not connect: ' . mysql_error());
}
else{
echo "<br />";
}
mysql_select_db($db_name) or die("cannot find database");
echo "<br />";
$sql="INSERT INTO costumer (costumer_ID, first_name, last_name, birth_date, adress, city, state,
postal_code, country, phone, email_client,username, password, Credit_Card, Credit_CardType)
VALUES
('$_POST[costumer_ID]', '$_POST[first_name]', '$_POST[last_name]', '$_POST[birth_date]', '$_POST[adress]', '$_POST[city]', '$_POST[state]', '$_POST[postal_code]', '$_POST[country]', '$_POST[phone]', '$_POST[email_client]','$_POST[username]', '$_POST[password]','$_POST[Credit_Card]','$_POST[Credit_CardType]');"
echo "<br />";
if (!mysql_query($sql,$con))
{
echo "<br />";
die('Error: ' . mysql_error());
}
$sql2="INSERT INTO login(password, username, costumer_costumer_ID)
VALUES ('$_POST[username]', '$_POST[password]', '$_POST[costumer_ID]');";
if(!mysql_query($sql2,$con)){
echo "<br />";
die ("ERROR: ".mysql_error());
}
if (isset($_REQUEST['email_client'])){
$email = $_REQUEST['email_client'] ;
$subject = 'Email Confirmation testing';
$message = 'Greetings'." ". $_REQUEST['first_name'].","."\n"
."We have received your request."."\n". "Please check if the fields are filled correctly."."\n\n"
."Desired Username: ".$_REQUEST['username']."\n"
."Desired password is: ".$_REQUEST['password']."\n"
."I.D. number: ".$_REQUEST['costumer_ID']."\n"
."First name: ".$_REQUEST['first_name']."\n"
."Last name: ".$_REQUEST['last_name']."\n"
."Birth date: ".$_REQUEST['birth_date']."\n"
."Adress: ".$_REQUEST['adress']."\n"
."City: ".$_REQUEST['city']."\n"
."Country: ".$_REQUEST['country']."\n"
."Phone: ".$_REQUEST['phone']."\n"
."Email Adress: ".$_REQUEST['email_client']."\n"
."Card Number: ".$_REQUEST['Credit_Card']."\n"
."Card Type:".$_REQUEST['Credit_CardType']."\n"
."\n\n Your account was succesfully created";
;
$_sender='www.postmasterSPapiesOnlineShopping.com';
mail($email, $subject,
$message, "From:" . $_sender );
}
echo"<br />";
echo " Congratulations, your account was succesfully created.";
mysql_close($con);
echo '<META HTTP-EQUIV=Refresh CONTENT="0; URL='.$url.'">';
?>
</header>
</html>
推荐答案
使用准备好的语句
他们首先要做的是发送一个带有占位符的查询版本的数据.查询已验证并准备就绪.如果成功,则可以发送数据库将安全插入到准备好的查询中的值.
Use prepared statements
What they do is first sent a version of the query with placeholders for data. The query is verified and prepared. If succesfull you can send the values which the database will safely insert into the prepared query.
共有三个选项:
$stmt = $mysli->prepare('INSERT INTO costumer (costumer_ID, first_name, last_name, birth_date, adress, city, state, postal_code, country, phone, email_client,username, password, Credit_Card, Credit_CardType)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?');
$stmt->bindParam('issssssssssssss', $_POST['costumer_ID'], ..., $_POST['Credit_CardType']);
$stmt->execute();
PDO扩展名
The PDO extension
// use native prepared statements if supported
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$stmt = $pdo->prepare('INSERT INTO costumer (costumer_ID, first_name, last_name, birth_date, adress, city, state, postal_code, country, phone, email_client,username, password, Credit_Card, Credit_CardType)
VALUES
(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?');
$stmt->bindParam(1, $_POST['costumer_ID'], PDO::PARAM_INT);
...
$stmt->bindParam(15, $_POST['Credit_CardType']);
$stmt->execute();
通过任何扩展名进行的原始查询
由于其他两种方法的优越性,我将不举一个例子.
Raw queries via any extension
I'm not going to give an example because the other two methods are far superior.
这篇关于防止MySQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
