douchen7555 2013-12-16 11:30
浏览 31
已采纳

如何通过url重写安全地传递php中的变量?

i have a list of linked thumbnails. Each thumbnail has a link with one variable.

<a href="index.php?id=1"><img src="thumb1.jpg">
<a href="index.php?id=2"><img src="thumb2.jpg">

etc...

now, i've updated site to use url rewriting. Idea is that i have links like this

<a href="gallery/?id=1"><img src="thumb1.jpg">
<a href="gallery/?id=2"><img src="thumb2.jpg">

or something simillar.

On the landing page, i use $id to execute MySQL query and show all pictures from gallery with that id.

$pictures = mysql_query("SELECT * FROM t_gallery where id=$id",$db);

Can it be done, and main thing, how can i prevent that passing id poses a security threat?

Cheers, Aleks

  • 写回答

3条回答 默认 最新

  • dpruwm6206 2013-12-16 11:34
    关注

    The url-rewriting part does not itself really introduce any new security-threats, the issue is the usage of mysql_* functions (which are deprecated) and not escaping the $id request-variable.

    If you are scared of SQL-Injections (as one should be), either escape the $id variable before using it in the query or rather use prepared statements (and then switch to either mysqli or PDO, which you should do in any case cause of mysql_* being deprecated!).

    Always validate and escape anything that you are about to use in a database query.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 flask项目,怎么使用AJAX传数据库数据到echarts图表的data里,实现异步加载数据。
  • ¥15 本题的答案是不是有问题
  • ¥15 关于#r语言#的问题:(svydesign)为什么在一个大的数据集中抽取了一个小数据集
  • ¥15 C++使用Gunplot
  • ¥15 这个电路是如何实现路灯控制器的,原理是什么,怎么求解灯亮起后熄灭的时间如图?
  • ¥15 matlab数字图像处理频率域滤波
  • ¥15 在abaqus做了二维正交切削模型,给刀具添加了超声振动条件后输出切削力为什么比普通切削增大这么多
  • ¥15 ELGamal和paillier计算效率谁快?
  • ¥15 蓝桥杯单片机第十三届第一场,整点继电器吸合,5s后断开出现了问题
  • ¥15 file converter 转换格式失败 报错 Error marking filters as finished,如何解决?