doujiao1180 2014-03-31 18:25
浏览 45
已采纳

SQL注入尝试 - 我的代码容易受到攻击吗?

I found in my logs that someone is trying to attack my page. I have some sub-pages where data is pulled from an DB via an ID that is submitted by the URL. Like page.php?id=666 What I could find in my logs are these attacks:

page.php?id=../../../../../../../../../../etc/passwd
page.php?id=/proc/self/environ
page.php?id=-1%27

And even more important, is my code weak? Might this attack have been successful?

$id = intval($_GET['id']);
$stmt = $con->prepare("SELECT *
    FROM mytable AS myvar
    WHERE myvar.ID =:ID");
    $stmt->bindValue(':ID', $id, PDO::PARAM_INT);
    $stmt->execute();

Thanks in advance!

  • 写回答

2条回答 默认 最新

  • douxiong4250 2014-03-31 18:28
    关注

    No, this code is not vulnerable to SQL injections.

    Both the intval conversion and prepared statement with PDO::PARAM_INT binding ensure that only integer values are used in the comparison of the statement that is being executed.

    Anyways, the mentioned requests don’t seem to aim for identifying SQL injections only but several different vulnerabilities, e. g., Path Traversal (CWE-22) and Local File Inclusion (CWE-98) as well. So you may want to watch out for those vulnerabilities as well.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 麒麟V10桌面版SP1如何配置bonding
  • ¥15 Marscode IDE 如何预览新建的 HTML 文件
  • ¥15 K8S部署二进制集群过程中calico一直报错
  • ¥15 java python或者任何一种编程语言复刻一个网页
  • ¥20 如何通过代码传输视频到亚马逊平台
  • ¥15 php查询mysql数据库并显示至下拉列表中
  • ¥15 freertos下使用外部中断失效
  • ¥15 输入的char字符转为int类型,不是对应的ascall码,如何才能使之转换为对应ascall码?或者使输入的char字符可以正常与其他字符比较?
  • ¥15 devserver配置完 启动服务 无法访问static上的资源
  • ¥15 解决websocket跟c#客户端通信