I keep getting told by people my code (https://github.com/LaughingQuoll/Administrator-Control-Panel) is vunerable to SQL injection. That all great but I dont understand how to fix it. I think I fixed in in the index.php file but I dont know. Could someone please take a look over it and suggest how I can fix it or if I did fix it with my recent commit. Thanks.
1条回答 默认 最新
dongyi1921 2015-11-08 04:52关注TL;DR;
Use prepared statements and read How can I prevent SQL injection in PHP? carefully
While this is not a code review site, but a question and answer site, I would like to point out that as long as you are doing things like this....
$result = mysqli_query("SELECT * FROM members WHERE username='" . $uername . "' and password = '". $password."'");in your code where you are concatenating values into your code without first passing them through the proper escape functions, you are definitely vulnerable to SQL injection. You're also vulnerable to human error (forgetting to escape or escaping incorrectly).
Even though here you do pass the value into
mysqli_real_escape_stringyou're doing it before the connection to the SQL server is established, and thus before the charset is negotiated between the client and server, which means you are still be vulnerable to SQLi.**** Big fat warning in the manual for this ****
Caution
Security: the default character set
The character set must be set either at the server level, or with the API function
mysqli_set_charset()for it to affectmysqli_real_escape_string(). See the concepts section on character sets for more information.Not going to bother doing a full audit on your code here, but I am going to point you to How can I prevent SQL injection in PHP? and also https://stackoverflow.com/a/12202218/1878262 for more details on why character set negotiation is still important to preventing SQLi.
本回答被题主选为最佳回答 , 对您是否有帮助呢?解决 无用评论 打赏举报
分享
- 2015-11-08 04:44回答 1 已采纳 TL;DR; Use prepared statements and read How can I prevent SQL injection in PHP? carefully While
- 2014-10-05 11:33回答 1 已采纳 You could easily just call the addNewUser() function passing the required parameters as: addNewUs
- 2017-09-26 11:50回答 1 已采纳 First of all, don't use mysql_, use mysqli_. Second, that's because you can't put two queries in
- 2020-12-19 18:52对于攻击者来说,进行SQL注入攻击需要思考和试验,对数据库方案进行有根有据的推理非常有必要(当然假设攻击者看不到你的源程序和数据库方案),考虑以下简单的登录表单:复制代码 代码如下:<form action=”/...
- 2017-09-22 07:12回答 4 已采纳 $exc = $dbh->prepare("SELECT id, cid, fullname FROM user WHERE BINARY username LIKE :username A
- 2019-02-26 18:23回答 2 已采纳 You can used session variable ,it will help to make data accessible across the various pages . So
- 2018-04-26 23:36回答 1 已采纳 Try to replace your code into this <input type="text" name="sms_numbers" // change input name
- 2020-12-18 02:24在某些表单中,用户输入的内容直接用来构造(或者影响)动态SQL命令,或作为存储过程的输入参数,这类表单特别容易受到SQL注入式攻击。常见的SQL注入式攻击过程类如: ⑴ 某个ASP.NET Web应用有一个登录页面,这个...
- 2019-08-07 09:54回答 2 已采纳 Solution: I used Apache as the webserver, but the HTML and PHP files were in another location, so
- 2017-03-16 16:50回答 1 已采纳 You are basically not posting your data to your processform.php file. Using <?php echo $_SERVER
- 2017-02-22 01:08回答 1 已采纳 If you are having problems distinguishing between your radio buttons and other form fields, you co
- 2023-05-31 13:33本案例主要在PHP中分别使用PDO的quote()方法和prepare()预处理语句来实现防止sql注入的功能。 所谓sql注入,就是通过把sql命令插入到Web表单提交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的sql...
- 2018-04-13 19:26回答 1 已采纳 When a user logging in your system, store that user's ID & user name in session & retrieve that us
- 2022-02-24 20:01zhoupenghui168的博客 在某些表单中,用户输入的内容直接用来构造(或者影响)动态SQL命令,或作为存储过程的输入参数,这类表单特别容易受到SQL注入式攻击。常见的SQL注入式攻击过程类如: ⑴ 某个php Web应用有一个登录页面,这个登录...
- 2020-10-19 12:10主要介绍了PHP实现表单提交数据的验证处理功能,可实现防SQL注入和XSS攻击等,涉及php字符处理、编码转换相关操作技巧,需要的朋友可以参考下
- 没有解决我的问题, 去提问
悬赏问题
- ¥15 求帮我调试一下freefem代码
- ¥15 matlab代码解决,怎么运行
- ¥15 R语言Rstudio突然无法启动
- ¥15 关于#matlab#的问题:提取2个图像的变量作为另外一个图像像元的移动量,计算新的位置创建新的图像并提取第二个图像的变量到新的图像
- ¥15 改算法,照着压缩包里边,参考其他代码封装的格式 写到main函数里
- ¥15 用windows做服务的同志有吗
- ¥60 求一个简单的网页(标签-安全|关键词-上传)
- ¥35 lstm时间序列共享单车预测,loss值优化,参数优化算法
- ¥15 Python中的request,如何使用ssr节点,通过代理requests网页。本人在泰国,需要用大陆ip才能玩网页游戏,合法合规。
- ¥100 为什么这个恒流源电路不能恒流?