有人可以根据 php 中的会话变量执行 SQL 注入吗? [英] Can someone perform a SQL Injection based on session variables in php?

问题描述

基本上，我正在制作一个网络应用程序，我正在通过它的安全性来使我的应用程序尽可能健壮.

Basically I am making a web application and I am going through the security of it to make my app as robust as I can.

一旦您登录我的应用，我就会根据会话变量跟踪该用户.

Once you're logged in to my app I track that user based on session variables.

当执行 SQL 时，它需要用户会话变量来查看他们是谁.

When SQL is performed it takes the users session variable to see who they are for example.

 $name = $_SESSION['user_name'];

一个示例查询将是这样的..

A example query would be something like this..

 $query1 = "SELECT * FROM tableName WHERE userName = '$name'";

从阅读在线网站的角度来看，我不能使用SQL 语句中的用户输入"之类的话.我是否认为因为我使用会话变量，用户无法直接访问 sql 语句，或者会话变量仍然是用户输入"?

From reading online sites say things like I must not use "user input in SQL statements." Am I right in thinking that because I am using session variables the user does not have direct access to the sql statement or is session variables still "user input"?

如果不是，我应该通过普通的 SQL 注入预防方法，例如...

If not should I just go through the normal SQL Injection prevention methods like...

• 输入验证(根据长度、语法验证数据等)
• 检查用户权限以确保用户拥有最少的权限权限.
• 等等..

预先感谢任何人提出的任何意见.

Thanks in advance for any comments anyone makes.

推荐答案

数据来自哪里并不重要，因为在任何情况下，您都必须确保数据按预期解释.

It doesn’t matter where the data came from as in any case you have to ensure that the data is interpreted as intended.

确保使用参数化语句的最简单方法之一是使用参数化语句，其中 SQL 代码和参数值是分开传递的，这样参数值就不会被错误地解释为 SQL.

And one of the easiest way to ensure that is using parameterized statements, where the SQL code and parameter values are passed separately so that a parameter value can’t be mistakenly interpreted as SQL.

准备好的语句实现此参数化，本机或模拟.有了它们，您就不必担心某个值是否会受到用户输入的影响.

Prepared statements implement this parameterization, either native or emulated. With them you don’t have to worry about whether a value may be influenced by a user’s input.

这篇关于有人可以根据 php 中的会话变量执行 SQL 注入吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！