douqin231881 2016-02-13 09:05
浏览 24
已采纳

如何以安全的方式执行PHP Select查询?

How can I do this piece of code in a safe way to prevent SQL injections?

I tried to read the php manual of mysqli->prepared but I was not able to convert it since I'm new to PHP development.

NOTE: DAL::$conn is $msqli = new mysqli()

$objects = array();
        if($id != null)
        {
            $sql = "select * from Pages where id = ".$id;
        }
        else
        {
            $sql = "select * from Pages";
        }

        $result = mysqli_query(DAL::$conn, $sql);

        if (mysqli_num_rows($result) > 0) {
            // output data of each row
            $records = 0;

            while($row = mysqli_fetch_assoc($result)) {
                $records++;
                $data = new Pages();
                $data->id       =   $row["id"];
                $data->title    =   $row['title'];
                $data->content  =   $row["content"];
                $objects[$records] = $data;
            }
        } else {
            //No results
        }
  • 写回答

2条回答 默认 最新

  • doujishan2247 2016-02-13 09:08
    关注

    Any query can be injected whether it's read or write, persistent or transient. Injections can be performed by ending one query and running a separate one (possible with mysqli), which renders the intended query irrelevant.

    Any input to a query from an external source whether it is from users or even internal should be considered an argument to the query, and a parameter in the context of the query. Any parameter in a query needs to be parameterized. This leads to a properly parameterized query that you can create a prepared statement from and execute with arguments. For example:

    SELECT col1 FROM t1 WHERE col2 = ?

    ? is a placeholder for a parameter. Using mysqli, you can create a prepared statement using prepare, bind a variable (argument) to a parameter using bind_param, and run the query with execute. You don't have to sanitize the argument at all (in fact it's detrimental to do so). mysqli does that for you. The full process would be:

    $stmt = mysqli->prepare("SELECT col1 FROM t1 WHERE col2 = ?");
$stmt->bind_param("s", $col2_arg);
$stmt->execute();

    There is also an important distinction between parameterized query and prepared statement. This statement, while prepared, is not parameterized and is thus vulnerable to injection:

    $stmt = mysqli->prepare("INSERT INTO t1 VALUES ($_POST[user_input])");

    To summarize:

    1. All Queries should be properly parameterized (unless they have no parameters)
    2. All arguments to a query should be treated as hostile as possible no matter their source
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 在获取boss直聘的聊天的时候只能获取到前40条聊天数据
  • ¥20 关于URL获取的参数,无法执行二选一查询
  • ¥15 液位控制,当液位超过高限时常开触点59闭合,直到液位低于低限时,断开
  • ¥15 marlin编译错误,如何解决?
  • ¥15 有偿四位数,节约算法和扫描算法
  • ¥15 VUE项目怎么运行,系统打不开
  • ¥50 pointpillars等目标检测算法怎么融合注意力机制
  • ¥20 Vs code Mac系统 PHP Debug调试环境配置
  • ¥60 大一项目课,微信小程序
  • ¥15 求视频摘要youtube和ovp数据集