doujiao1180 2014-03-31 18:25
浏览 45
已采纳

SQL注入尝试 - 我的代码容易受到攻击吗?

I found in my logs that someone is trying to attack my page. I have some sub-pages where data is pulled from an DB via an ID that is submitted by the URL. Like page.php?id=666 What I could find in my logs are these attacks:

page.php?id=../../../../../../../../../../etc/passwd
page.php?id=/proc/self/environ
page.php?id=-1%27

And even more important, is my code weak? Might this attack have been successful?

$id = intval($_GET['id']);
$stmt = $con->prepare("SELECT *
    FROM mytable AS myvar
    WHERE myvar.ID =:ID");
    $stmt->bindValue(':ID', $id, PDO::PARAM_INT);
    $stmt->execute();

Thanks in advance!

  • 写回答

2条回答 默认 最新

  • douxiong4250 2014-03-31 18:28
    关注

    No, this code is not vulnerable to SQL injections.

    Both the intval conversion and prepared statement with PDO::PARAM_INT binding ensure that only integer values are used in the comparison of the statement that is being executed.

    Anyways, the mentioned requests don’t seem to aim for identifying SQL injections only but several different vulnerabilities, e. g., Path Traversal (CWE-22) and Local File Inclusion (CWE-98) as well. So you may want to watch out for those vulnerabilities as well.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 关于#c##的问题:最近需要用CAT工具Trados进行一些开发
  • ¥15 南大pa1 小游戏没有界面,并且报了如下错误,尝试过换显卡驱动,但是好像不行
  • ¥15 没有证书,nginx怎么反向代理到只能接受https的公网网站
  • ¥50 成都蓉城足球俱乐部小程序抢票
  • ¥15 yolov7训练自己的数据集
  • ¥15 esp8266与51单片机连接问题(标签-单片机|关键词-串口)(相关搜索:51单片机|单片机|测试代码)
  • ¥15 电力市场出清matlab yalmip kkt 双层优化问题
  • ¥30 ros小车路径规划实现不了,如何解决?(操作系统-ubuntu)
  • ¥20 matlab yalmip kkt 双层优化问题
  • ¥15 如何在3D高斯飞溅的渲染的场景中获得一个可控的旋转物体