让用户指定要搜索的 mysql 字段是否安全? [英] Is it safe to let the user specify the mysql field to search?

问题描述

我有一个搜索程序，它有多个与 mysql 数据库中的字段相对应的输入文本框.我想知道使用自定义搜索框是否安全，用户可以在其中输入要搜索的实际字段及其值.

I have a search program that has multiple input text boxes that correspond to fields in a mysql database. I would like to know if it is safe to have a custom search box where the user can enter the actual field to be searched and its value.

像这样:

<form method='post'>
 <input type='text' name='param1' />
 <input type='text' name='param2' />
 <input type='text' name='customField' />
 <input type='text' name='customValue' />
</form>

然后当它被提交时:

$param1 = mysql_real_escape_string($_POST['param1']);
$param2 = mysql_real_escape_string($_POST['param2']);
$customField = mysql_real_escape_string($_POST['customField']);
$customValue = mysql_real_escape_string($_POST['customValue']);

$query = "SELECT * FROM mytable WHERE field1 LIKE '" . $param1 . "' AND field2 LIKE '" . $param2 . "' AND " . $customField . " LIKE '" . $customValue . "'";

这是一个内部网页，我们中只有少数人会真正看到这些新框，但我想知道这里是否可以进行诸如 sql 注入之类的操作.

This is an internal webpage and only a few of us will actually see these new boxes but I would like to know if something like sql injection is possible here.

推荐答案

您应该检查他们提供的字段是否在您允许在其中搜索的字段列表/数组中.在查询中的字段名称周围添加反引号也是为了更加安全.做这两件事将防止通过这些变量进行任何注入.

You should check that the fields they provided are in a list/array of fields you allow searching within. Add backticks around the field names in the query just to be extra safe as well. Doing both those things will prevent any injection through those variables.

这篇关于让用户指定要搜索的 mysql 字段是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！