验证数据库匹配中的$ _GET id是否足够安全? [英] Is validating $_GET id in database match secure enough?
问题描述
现在我用来列出index.php上所有帖子的代码是:
$ postslist = mysqli_query($ db,SELECT * FROM posts);
while($ post = mysqli_fetch_array($ postlist)){
echo'< a href ='.SITEURL。'/ post.php?p ='。$ post [''
$ b $ / code>
$ b'['title']。'< / a>';
}
$ b
这个工程,我有我的index.php页面上显示的所有帖子和链接到post.php页面上发布。
在post.php页面上,我使用了如下代码:
if(!isset($ _ GET ['p']) ){
echo'不直接加载此页面';
}
else {
$ id = $ _GET ['p'];
$ querypost = mysqli_query( $ conn,
SELECT *
FROM posts
WHERE postid ='$ id');
$ data = mysqli_fetch_array($ querypost);
echo'< h3>。$ data ['title']。'< / h3>';
}
这工作正常,并检索与该ID后,但我有阅读一些教程和职位这可能是不安全的,并建议使用这样的代码来确保数据库的安全使用。
if(!isset($ _ GET ['p'])){
echo'不直接加载此页面';
}
else {
$ id = $ _GET ['p'];
$ id = mysqli_real_escape_string($ id);
$ querypost = mysqli_query($ conn,
SELECT *
FROM posts
WHERE postid ='$ id');
$ data = mysqli_fetch_array($ querypost);
echo'< h3>'。 $ data ['title']。 < / H3>;
}
但是这会抛出一个错误,所以它足够安全只是检查数据库if postid存在,如果这不够安全,我如何使它安全?
问题的第二部分
<编辑:好吧,我采取了搜索从你们发布的方法,几个小时后,我使它与mysqli_prepare一起工作,但将它用到post.php中是相当容易的,因为它只连接到posts表并将所有数据从一个表格基于post id。
但是当我在不同的页面上试用相同的方法时,这变得相当大的解决方案。
在第二页上,我必须从5个不同的表中抽取数据,这些表使用LEFT JOIN连接到表中特定列的特定ID的所有匹配,这就是它仅使用3个表出来的结果。
$ stmt = mysqli_prepare($ conn,
SELECT *
FROM赠送
INNER JOIN成员
ON giveaways.creator = members.steamID
INNER JOIN sc_steamgames
ON giveaways.gameid = sc_steamgames.appid
WHERE giveawayID =?);
mysqli_stmt_bind_param($ stmt,i,$ id);
mysqli_stmt_execute($ stmt);
mysqli_stmt_bind_result($ stmt,$ id,$ creator,$ comment,$ tcreated,$ tstarting,$ tfinish,$ provider,$ type,$ gameid,$ memberid,$ steamid,$ username,$ $ avatar,$ avatarbig,$ steamgames,$ regdate,$ verified,$ coins,$ gold,$ points,$ appid,$ title,$ storeprice,$ valuprice,$ pointsworth);
mysqli_stmt_fetch($ stmt);
echo $ creator。' - '。 $评论。 ' - '。 $ gameid。 ' - '。$ title。' - '。($ storeprice / 100);
mysqli_stmt_close($ stmt);
这个工作正常,但你可以看到它有多大的3个表格,我需要拉另外一个问题是,如果用户必须浏览一个静态值的页面,比如<2>,那么我想知道这是否是真正的解决方案,您可以使用它?
/ p>
index.php?go =即将到来的
我是否还需要使用一些更安全的方法或像现在一样使用它?
if(isset ($ _GET ['go'])&& $ _GET ['go'] =='coming')
足够安全吗?因为有已知的go值和预期值。
它抛出一个错误,因为 mysqli_real_escape_string
需要两个参数,第一个这是连接 $ conn
。
如果你这样做,它应该足够安全,但最好使用参数化查询。例如:
$ stmt = mysqli_prepare($ conn,SELECT cols FROM posts WHERE postid =?);
mysqli_stmt_bind_param($ stmt,'i',$ id);
检查 id因为您必须在查询中使用潜在的恶意
存在于不能防止注入的安全性首先做检查。 id
,所以中的
I have 2 pages on the website, one is index.php and index page list all posts that exist in database, and other page is post.php and post page display single post when clicked on specific post on index page.
Now the code that i used to list all posts on index.php is:
$postslist = mysqli_query($db, "SELECT * FROM posts");
while ($post = mysqli_fetch_array($postlist)) {
echo '<a href="' .SITEURL.'/post.php?p='.$post['postid'].'>'.$post['title'].'</a>';
}
And this works and i have all posts displayed on my index.php page and links link to post on post.php page.
And on post.php page i have used code like this:
if(!isset($_GET['p'])){
echo 'Dont load this page directly';
}
else {
$id = $_GET['p'];
$querypost = mysqli_query($conn,
"SELECT *
FROM posts
WHERE postid='$id'");
$data = mysqli_fetch_array($querypost);
echo '<h3>' . $data['title'] . '</h3>';
}
And this works fine and retrieve post with that id but i have reading some tutorials and posts here on stackoverflow and this might be little insecure and it was suggested to use code like this just to make sure to make it safe for database use
if(!isset($_GET['p'])){
echo 'Dont load this page directly';
}
else {
$id = $_GET['p'];
$id = mysqli_real_escape_string($id);
$querypost = mysqli_query($conn,
"SELECT *
FROM posts
WHERE postid='$id'");
$data = mysqli_fetch_array($querypost);
echo '<h3>' . $data['title'] . '</h3>';
}
But this throws an error, so is it secure enough just check against database if postid exists and how do i make it secure if this isn't secure enough?
Part 2 of the question
Edit: Well i have taken in to search about methods posted from you guys and after few hours i made it work with mysqli_prepare but using it into post.php is fairly easy as it only connects to posts table and pull all data from one table based on post id.
But when i tried out same method on different page this became rather big solution.
On second page i have to pull data from 5 different tables which are joined using LEFT JOIN to all match of specific id from specific column in table, and this is what it came out only using 3 tables.
$stmt = mysqli_prepare($conn,
"SELECT *
FROM giveaways
INNER JOIN members
ON giveaways.creator = members.steamID
INNER JOIN sc_steamgames
ON giveaways.gameid = sc_steamgames.appid
WHERE giveawayID=?");
mysqli_stmt_bind_param($stmt, "i", $id);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt, $id, $creator, $comment, $tcreated, $tstarting, $tfinish, $provider, $type, $gameid, $memberid, $steamid, $username, $profileurl, $avatar, $avatarmed, $avatarbig, $steamgames, $regdate, $verified, $coins, $gold, $points, $appid, $title, $storeprice, $valuedprice, $pointsworth);
mysqli_stmt_fetch($stmt);
echo $creator .' - '. $comment . ' - '. $gameid . ' - ' .$title.' - '.($storeprice /100) ;
mysqli_stmt_close($stmt);
And this works fine, but you can see how massive it become with 3 tables and i need to pull info from 2 more tables so i was wondering if this is really solution that you would use ?
And another question, if user have to browse a page with static value like
index.php?go=upcoming
Do i need to use also some more security or using it like now
if(isset($_GET['go']) && $_GET['go'] == 'upcoming')
is secure enough? Since there is known value of go and what to expect.
It's throwing an error because mysqli_real_escape_string
expects two arguments, the first of which is the connection $conn
.
If you do this it should be secure enough, but it would be better to use a parameterized query. For example:
$stmt = mysqli_prepare($conn, "SELECT cols FROM posts WHERE postid = ?");
mysqli_stmt_bind_param($stmt, 'i', $id);
Checking that the id
exists in the database is not secure against injection at all since you have to use a potentially malicious id
in the query to do the check in the first place.
这篇关于验证数据库匹配中的$ _GET id是否足够安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!