自动完成撇号和注射攻击

I'm having difficulties passing an apostrophe into my autocomplete. The database contains entries that do not have apostrophes...instead the html equivalent is being used (&POUND039;). I'm still very new to ajax so I really appreciate the help. The question is, how do I pass in the value of an apostrophe and have it match? Also, is my code susceptible to an injection attack? Thanks in advance for your help!

The code is like this:

<script type="text/javascript">
var options = {
        serviceUrl:'autocomplete/autoQuery.php',
            minChars:2, 
            delimiter: /(,|;)\s*/, // regex or character
            maxHeight:400,
            width:500,
            zIndex: 9999,
            deferRequestBy: 0, //miliseconds
            params: { country:'Yes' }, //aditional parameters
            noCache: false, //default is false, set to true to disable caching
            // callback function:
            // onSelect: function(value, data){ alert('You selected: ' + value + ', ' + data); },
            onSelect: function(value, data){ window.location = "textbooks.php?bk=" + data;}
    }; 
$('#query').autocomplete(options);
</script>

I have a php script sending back the query results. The page is called query.php and the code there is this:

$get = htmlentities($_GET['query']);
$query = "SELECT title,author,id,isbn10,isbn13 FROM textbook
        WHERE title LIKE '%" . $get . "%'
        OR author LIKE '" . $get . "%'
        OR isbn10 LIKE '" . $get . "%'
        OR isbn13 LIKE '" . $get . "%'
        LIMIT 5
        ";
$result = mysql_query($query,$connection);
if(mysql_num_rows($result) == 0){
$resString = "'No result found. Click here',";
$idString = "'unknown',";
}else{
$resString = "";
$idString = "";
while($data = mysql_fetch_array($result)){
    $resString .= "'" . $data['title'] . " by " . $data['author'] . "',";
    $idString .= "'" . $data['id'] . "',";
}   
}

$resString = rtrim($resString, ',');
$idString = rtrim($idString, ',');
$code = "{
";
$code .= "query:'" . $get . "',
";
$code .= "suggestions:[" . $resString . "],
";
$code .= "data:[" . $idString . "]
";
$code .= "}";
echo $code;

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
dqq48152418 2012-04-07 13:27
关注
Your script as it is, is vulnerable to SQL injection since $get is used unescaped. htmlentities() the way you have it won't encode quotes.

Fix the data first:

It is not recommended to store encoded values in the database (especially not weirdly encoded ones like &POUND039). So the first thing I would suggest is to replace those values in your database with actual apostrophes.

UPDATE textbook SET title = REPLACE(title, '&POUND039', '\''), author = REPLACE(author, '&POUND039', '\''), etc...

Then instead of using htmlentities() (which by the way doesn't encode quotes unless you pass the ENT_QUOTES constant, pass in a properly escaped string $get, which will match the regular single quotes in your database. Note, there are additional issues with escaping a string containing literal % and _ to be used in a LIKE statement, so this is only the bare minimum of what can be done.

$get = mysql_real_escape_string($_GET['query']); $query = "SELECT title,author,id,isbn10,isbn13 FROM textbook WHERE title LIKE '%" . $get . "%' OR author LIKE '" . $get . "%' OR isbn10 LIKE '" . $get . "%' OR isbn13 LIKE '" . $get . "%' LIMIT 5 ";

The real solution:

However, as suggested in comments, this would all work much more smoothly and without worry of injection if you use PDO and bound parameters:

// PDO connection information omitted... $query = "SELECT title,author,id,isbn10,isbn13 FROM textbook WHERE title LIKE CONCAT('%', :get, '%') OR author LIKE CONCAT(:get, '%') OR isbn10 LIKE CONCAT(:get, '%') OR isbn13 LIKE CONCAT(:get, '%') LIMIT 5 "; $stmt = $db->prepare($query); $stmt->execute(array(':get', $_GET['query']); while ($data = $stmt->fetch(PDO::FETCH_ASSOC)) { $resString .= "'" . $data['title'] . " by " . $data['author'] . "',"; $idString .= "'" . $data['id'] . "',"; } // etc...
本回答被题主选为最佳回答 , 对您是否有帮助呢?

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容