如果我使用下拉菜单,我是否必须防止 SQL 注入? [英] Do I have to guard against SQL injection if I used a dropdown?
问题描述
我知道您永远不应该相信来自表单的用户输入,主要是由于 SQL 注入的可能性.
I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection.
但是,这是否也适用于唯一输入来自下拉列表的表单(见下文)?
However, does this also apply to a form where the only input is from a dropdown(s) (see below)?
我将 $_POST['size']
保存到一个会话中,然后在整个站点中使用它来查询各种数据库(使用 mysqli
Select 查询) 并且任何 SQL 注入肯定会伤害(可能会丢弃)它们.
I'm saving the $_POST['size']
to a Session which is then used throughout the site to query the various databases (with a mysqli
Select query) and any SQL injection would definitely harm (possibly drop) them.
没有用于键入用户输入来查询数据库的区域,只有下拉列表.
There is no area for typed user input to query the databases, only dropdown(s).
<form action="welcome.php" method="post">
<select name="size">
<option value="All">Select Size</option>
<option value="Large">Large</option>
<option value="Medium">Medium</option>
<option value="Small">Small</option>
</select>
<input type="submit">
</form>
推荐答案
您可以执行以下示例一样简单的操作,以确保发布的大小符合您的预期.
You could do something as simple as the following example to make sure the posted size is what you expect.
$possibleOptions = array('All', 'Large', 'Medium', 'Small');
if(in_array($_POST['size'], $possibleOptions)) {
// Expected
} else {
// Not Expected
}
如果您使用的是 php >= 5.3.0 版本,那么使用 mysqli_* 来保存您的结果.如果使用得当,这将有助于 sql 注入.
Then use mysqli_* if you are using a version of php >= 5.3.0 which you should be, to save your result. If used correctly this will help with sql injection.
这篇关于如果我使用下拉菜单,我是否必须防止 SQL 注入?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!