SQL注入预防-GET_VARS [英] SQL Injection Prevention - GET_VARS

查看：78 发布时间：2020/8/14 7:04:01 php mysql sql-injection

本文介绍了SQL注入预防-GET_VARS的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个网址，当有效时将如下所示:

I have a url, that when valid would look like this:

site.com/page.php?id=12345

我试图了解我们是否对sql注入很了解.在此特定情况下，该值应仅是一个正整数，因为它是一个ID号.有时，我们确实会使用其他变量，例如字母或文本字符串，例如搜索结果页面.

I'm trying to understand if we're vunderable to sql injection. In this particular instance, the value should only be a positive integer value, since it's an id number. We do sometimes use other variables that could be a letter, or a string of text, for example, the search results pages.

用于提取ID变量的代码示例如下:

An example of the code used to extract the ID variable is here:

$variable = "0";
if (isset($HTTP_GET_VARS["id"])) {
  $variable = (get_magic_quotes_gpc()) ? $HTTP_GET_VARS["id"] : addslashes($HTTP_GET_VARS["id"]);
}

在大多数情况下，从网址获取变量的方式都是这种方式.

In most instances of getting a variable from the url, it is approached this way.

这是在防止SQL注入吗?

Is this doing anything to prevent sql injections?

我应该使用mysql_real_escape_string吗?

Should I be using mysql_real_escape_string?

我一直在阅读有关准备好的语句的信息，但这似乎令人生畏，我们在网站上到处都有大量的页面和查询使用这些变量.在短期或中期，彻底更换它们是不可行的.

I've been reading about prepared statements, but it seems daunting and we use these variables all over the place on site with a lot of pages and queries. Going through and replacing them just isn't viable in the short or mid term.

如果有另一种无需准备语句就可以验证数据的方法，将不胜感激.

If there was an alternative way to go about validating the data without prepared statements, any advice would be much appreciated.

谢谢.

SQL注入预防-GET_VARS [英] SQL Injection Prevention - GET_VARS

问题描述

推荐答案

相关文章

PHP最新文章

热门教程

热门工具

登录关闭

SQL注入预防-GET_VARS [英] SQL Injection Prevention - GET_VARS

问题描述

推荐答案

相关文章

PHP最新文章

热门教程

热门工具

登录 关闭

登录关闭