doujiao1180 2014-03-31 18:25
浏览 45
已采纳

SQL注入尝试 - 我的代码容易受到攻击吗?

I found in my logs that someone is trying to attack my page. I have some sub-pages where data is pulled from an DB via an ID that is submitted by the URL. Like page.php?id=666 What I could find in my logs are these attacks:

page.php?id=../../../../../../../../../../etc/passwd
page.php?id=/proc/self/environ
page.php?id=-1%27

And even more important, is my code weak? Might this attack have been successful?

$id = intval($_GET['id']);
$stmt = $con->prepare("SELECT *
    FROM mytable AS myvar
    WHERE myvar.ID =:ID");
    $stmt->bindValue(':ID', $id, PDO::PARAM_INT);
    $stmt->execute();

Thanks in advance!

  • 写回答

2条回答 默认 最新

  • douxiong4250 2014-03-31 18:28
    关注

    No, this code is not vulnerable to SQL injections.

    Both the intval conversion and prepared statement with PDO::PARAM_INT binding ensure that only integer values are used in the comparison of the statement that is being executed.

    Anyways, the mentioned requests don’t seem to aim for identifying SQL injections only but several different vulnerabilities, e. g., Path Traversal (CWE-22) and Local File Inclusion (CWE-98) as well. So you may want to watch out for those vulnerabilities as well.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥100 任意维数的K均值聚类
  • ¥15 stamps做sbas-insar,时序沉降图怎么画
  • ¥15 unity第一人称射击小游戏,有demo,在原脚本的基础上进行修改以达到要求
  • ¥15 买了个传感器,根据商家发的代码和步骤使用但是代码报错了不会改,有没有人可以看看
  • ¥15 关于#Java#的问题,如何解决?
  • ¥15 加热介质是液体,换热器壳侧导热系数和总的导热系数怎么算
  • ¥100 嵌入式系统基于PIC16F882和热敏电阻的数字温度计
  • ¥15 cmd cl 0x000007b
  • ¥20 BAPI_PR_CHANGE how to add account assignment information for service line
  • ¥500 火焰左右视图、视差(基于双目相机)