dongyi9484 2016-08-13 11:07
浏览 9
已采纳

用户输入php sql保护

I'm currently setting up php scripts for my app and I'm abit clueless about how to obtain a level of safety to prevent injections to the sql server.

there are a few scripts that receive input from the app and not from the user directly such as content browsing and content rating, altho it is eventually an input.

the script that does receive user direct input as "name" and "creator name" is this :

$utc_str = gmdate("M d Y H:i:s", time());
$TIMESTAMP = strtotime($utc_str);
$DATA = $_POST['DATA'];
$NAME = $_POST['NAME'];
$CREATOR = $_POST['CREATOR'];

if(strlen($NAME) > 15 || strlen($CREATOR) > 15) exit("Error 2");

$stmt = $connect->prepare("INSERT INTO `ugcl` (`DATA`,`NAME`,`CREATOR`,`CREATEDSTAMP`) 
                           VALUES (?, ?, ?, ". $TIMESTAMP .")");
$stmt->bind_param("sss", $DATA, $NAME, $CREATOR);

if($stmt->execute())
{
    echo "Successs";
}
else
{
    echo "Error";
}

should i use bind params in all of the scripts that receive input? is there any thing else that is recommended?

  • 写回答

1条回答 默认 最新

  • doushi3454 2016-08-13 11:27
    关注

    Yes you should use PREPARED STATEMENTS in php whenever making an input or output.

    Always bind the parameters so that the server always knows what datatype to expect. This will make sure you've an added security to your application. Everything you enter should be used as a ? in the original statement and bind the variables with the appropriate datatypes.

    You're directly entering the $TIMESTAMP which I won't personally recommend either. Running that through a bind_param wont take much effort.

    Also, always close your connections with a $stmt->close() and $conn->close() once a query statement is completed. If you have multiple queries in a page, start the connection at the beginning of the queries and end it after all the queries are done.

    Also, another note on security- always validate and sanitize user inputs first. Never trust user data. Never take them to be valid in the first place.

    Edit: Also consider using PDO for database interaction.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥50 yalmip+Gurobi
  • ¥20 win10修改放大文本以及缩放与布局后蓝屏无法正常进入桌面
  • ¥15 angular开发过程中,想要读取模型文件,即图1的335行,会报404错误(如图2)。但我的springboot里配置了静态资源文件,如图3。且在该地址下我有模型文件如图4,请问该问题该如何解决呢?
  • ¥15 itunes恢复数据最后一步发生错误
  • ¥15 关于#windows#的问题:2024年5月15日的win11更新后资源管理器没有地址栏了顶部的地址栏和文件搜索都消失了
  • ¥100 H5网页如何调用微信扫一扫功能?
  • ¥15 讲解电路图,付费求解
  • ¥15 有偿请教计算电磁学的问题涉及到空间中时域UTD和FDTD算法结合的
  • ¥15 vite打包后,页面出现h.createElement is not a function,但本地运行正常
  • ¥15 Java,消息推送配置