避免在注册表格php中进行SQL注入 [英] Avoid SQL injection in registration form php

问题描述

我在本地主机上有一个简单的注册表单(仍在测试中)，我想知道它是否可以被SQL注入攻击?

I've a simple registration form on my localhost (still testing), and I am wondering if it can be attacked by SQL injection?

代码:

$name = mysql_real_escape_string($_POST['name']);
$password = mysql_real_escape_string($_POST['password']);
$password = md5($password);
$email = mysql_real_escape_string($_POST['email']);
$refId = $_GET['refid'];
$ip = $_SERVER['REMOTE_ADDR'];


$add = mysql_query("INSERT INTO `users` (`name`, `password`, `email`, `refId`, `ip`)
VALUES('$name','$password','$email','$refId', '$ip')") or die(mysql_error());

这样安全吗?或者有人可以使用SQL注入(我想知道怎么做)?如何避免注射?

Is that safe or can someone use SQL injection (I'd like to know how)? How can I avoid injection?

推荐答案

避免注入的最佳方法是使用

The best way to avoid injections is to use Prepared Statements.
For prepared Statements I prefer to use PDO to handle all my DB stuff. here is some PDO sample code I wrote to retrieve some basic login information:

$sql=new PDO("mysql:host=127.0.0.1;dbname=name","user","password");
        $user=$_POST[user];

        $query="select Salt,Passwd from User
                where Name=:user";
        $stmt=$sql->prepare($query);
        $stmt->bindParam(':user',$user);
        $stmt->execute();
        $dr=$stmt->fetch();        
        $sql=null; 
        $password=$_POST[pass];
        $salt=$dr['Salt'];

...等等

阅读此页面，以获取有关PDO的更多信息.如果您想知道这里每一行的代码在做什么，请阅读此我在另一篇文章中给出的答案.

Read this page for more information on PDO. If you want to know what each line of code here is doing, read this answer I gave to another post.

这篇关于避免在注册表格php中进行SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！