dongzang7182 2018-08-16 05:09
浏览 103

PHP PDO无法正常工作,仍能sql注入

Thanks for the help everyone, I'm closer. I ended up putting the _GET into the bind instead of setting vars, didn't see a point in that. I wasn't sure which answer to put in the SELECT, so this sample has the '?''. I tried both though. I also changed the bindParam to the sample above (:careerID and ;title). The good news is the injection won't work, but the bad news is I cannot click on the link to view the description. Here is the edited code, again I appreciate any assistance!

$conn = new PDO('mysql:host=XXXX;dbname=XXXX', 'XXXX', 'XXXX');
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    // Leave column names as returned by the database driver
    $conn->setAttribute(PDO::ATTR_CASE, PDO::CASE_NATURAL);
    // Convert Empty string to NULL
    $conn->setAttribute(PDO::ATTR_ORACLE_NULLS, PDO::NULL_EMPTY_STRING);   



$SQL = "SELECT *
          FROM careerapplicationpost,careerapplicationjobdescription 
         WHERE careerapplicationpost.CareerApplicationPostID = '?'
           AND careerapplicationjobdescription.JobDescriptionTitle = '?'";

$sth = $conn->prepare($SQL);
// binding parameters 
$sth->bindParam(':careerId', $_GET['CareerID'], PDO::PARAM_INT, 100);
$sth->bindParam(':title', $_GET['Title'], PDO::PARAM_STR, 100);
  // executing statement
$sth->execute();
$resultSet = $sth->fetchAll();
foreach ( $conn->query($SQL) as $row ) {
        
    
                        
    //setup the postings
    echo "<h2>";
    echo "<a href=\"/careers/view-career.php?CareerID=$row[CareerApplicationPostID]&Title=$row[JobDescription]\">$row[JobDescriptionDisplayTitle]</a><br />"; 
    echo "</h2><hr />";
    echo "<br />";
    echo $row['Location'];
    echo ", &nbsp;&nbsp;";
    echo $row['FullTimePartTime'];
    echo  "<div class=\"postedon\">Posted on ";
    echo $row['PostedDate'];
    echo "</div>";
    echo "<br />";echo "<br />";
    echo "<strong>Summary:</strong>  ";
    echo $row['JobDescriptionSummary'];
    echo "<br />";echo "<br />";
    echo $row['JobDescriptionEdited'];
    echo "<div class=\"linebreak\">&nbsp;</div>";
    echo "<a href=\"/careers/files/DigiEmploymentApp.pdf\">Please fill out an application here.</a><br />";
    echo "<div class=\"clear\"></div>";
    echo "<hr />";    
}

    

if (!$row['CareerApplicationPostID'])
{
    
header("Location:index.php");
    exit;
    }
$conn = null;                     

</div>
  • 写回答

3条回答 默认 最新

  • dousi2029 2018-08-16 05:17
    关注

    You can easily fix your code:

    $SQL = "SELECT *
              FROM careerapplicationpost,careerapplicationjobdescription 
             WHERE careerapplicationpost.CareerApplicationPostID = :careerId
               AND careerapplicationjobdescription.JobDescriptionTitle = :title";
    
    $sth = $conn->prepare($SQL);
    // binding parameters 
    $sth->bindParam(':careerId', $careerId, PDO::PARAM_INT);
    $sth->bindParam(':title', $title, PDO::PARAM_STR, 100);
    

    Problem was that you passed a query with values already passed in the string variable $SQL because you used variable inside of "".

    评论

报告相同问题?

悬赏问题

  • ¥30 帮我写一段可以读取LD2450数据并计算距离的Arduino代码
  • ¥15 C#调用python代码(python带有库)
  • ¥15 矩阵加法的规则是两个矩阵中对应位置的数的绝对值进行加和
  • ¥15 活动选择题。最多可以参加几个项目?
  • ¥15 飞机曲面部件如机翼,壁板等具体的孔位模型
  • ¥15 vs2019中数据导出问题
  • ¥20 云服务Linux系统TCP-MSS值修改?
  • ¥20 关于#单片机#的问题:项目:使用模拟iic与ov2640通讯环境:F407问题:读取的ID号总是0xff,自己调了调发现在读从机数据时,SDA线上并未有信号变化(语言-c语言)
  • ¥20 怎么在stm32门禁成品上增加查询记录功能
  • ¥15 Source insight编写代码后使用CCS5.2版本import之后,代码跳到注释行里面