dsj60862 2015-05-26 06:02
浏览 77
已采纳

你如何保护html值

I'm printing an ID from the database in the order to create a SQL statement INNER JOIN with that ID. So, the problem is that the "user" can change it from the debugging tool and easy "crack" the site.

Check it out:

<select name="brand">
    <?php 
    # Print brands names
    for ($i=0; $i < count($brandsql); $i++) { 
        print '<option value="' . $brandsql[$i]['brand_id'] . '">' . $brandsql[$i]['brand_name'] . '</option>';
    }
    ?>
</select>

So... My question is: Is there a way to do this without print the ID to the HTML? Note that I'm getting the ID value with JavaScript:

$('#brand').change(function(e){
    $.getJSON("q.php", {type: 1, brand: this.value})
    .done(function(e){
        // I print the results to the user.
    });
});

Exist better way to do this?

  • 写回答

5条回答 默认 最新

  • dongxu7408 2015-05-26 06:07
    关注

    Simple answer: You can't.

    What you are describing is called SQL Injection, a method of "cracking" a website by injecting SQLs which were never intended by the developer. This can result in horrible situations like deleting your database or getting access to the admin account.

    To prevent this, your only possibility is to sanitize the input with PHP, for example with filter_var():

    $input = filter_var($_POST['brand']);

    Even though the situation isn't that terrible in your case, I'd recommend you implement security measures. Never trust user input. It's evil.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥20 完全没有学习过GAN,看了CSDN的一篇文章,里面有代码但是完全不知道如何操作
  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行