如果我使用下拉菜单，我是否必须防止 SQL 注入? [英] Do I have to guard against SQL injection if I used a dropdown?

问题描述

我知道您永远不应该相信来自表单的用户输入，主要是由于 SQL 注入的可能性.

I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection.

但是，这是否也适用于唯一输入来自下拉列表的表单(见下文)?

However, does this also apply to a form where the only input is from a dropdown(s) (see below)?

我将 $_POST['size'] 保存到一个会话中，然后在整个站点中使用它来查询各种数据库(使用 mysqli Select 查询) 并且任何 SQL 注入肯定会伤害(可能会丢弃)它们.

I'm saving the $_POST['size'] to a Session which is then used throughout the site to query the various databases (with a mysqli Select query) and any SQL injection would definitely harm (possibly drop) them.

没有用于键入用户输入来查询数据库的区域，只有下拉列表.

There is no area for typed user input to query the databases, only dropdown(s).

<form action="welcome.php" method="post">
<select name="size">
  <option value="All">Select Size</option> 
  <option value="Large">Large</option>
  <option value="Medium">Medium</option>
  <option value="Small">Small</option>
</select>
<input type="submit">
</form>

推荐答案

您可以执行以下示例一样简单的操作，以确保发布的大小符合您的预期.

You could do something as simple as the following example to make sure the posted size is what you expect.

$possibleOptions = array('All', 'Large', 'Medium', 'Small');

if(in_array($_POST['size'], $possibleOptions)) {
    // Expected
} else {
    // Not Expected
}

如果您使用的是 php >= 5.3.0 版本，那么使用 mysqli_* 来保存您的结果.如果使用得当，这将有助于 sql 注入.

Then use mysqli_* if you are using a version of php >= 5.3.0 which you should be, to save your result. If used correctly this will help with sql injection.

这篇关于如果我使用下拉菜单，我是否必须防止 SQL 注入?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！