doushangan3690 2019-08-08 11:44
浏览 76

关于在sql代码中使用$ _GET [“”]的建议,例如 if $ _GET [“val”] == [关闭]

This question is three fold and regarding security with GET.

At the moment I am using a script that works on prepared statements and MAKES connections to mysql e.g.

    $userinput= $_GET["userinput"];    
    // make connection
    $mysqli = new mysqli("$servername", "$username", "$password", "$databasename");
    $mysqli->set_charset('utf8');
$userinput= $_GET["userinput"];  
    $stmt = $mysqli -> prepare('SELECT one, two, three FROM tablename WHERE unique = ?');

    if (
    $stmt &&
    $stmt -> bind_param('s', $userinput) &&
    $stmt -> execute() &&
    $stmt -> store_result() &&
    $stmt -> bind_result($one, $two, $three)
    ) 
    {
    WHILE LOOP HERE
    }
    ?>

it is using link data passed alone in the URL e.g.

<a href="index.php?userinput=3">link3</a>

Question 1

Security wise, I think the above is secure from MySQL injection attack (please correct and provide example if possible if this is not the case). However, for extra security I would also like to use a fallback in the code e.g. real_escape_string (just in case there are any errors in my coding etc).

To do this, would I simply change

$userinput= $_GET["userinput"]; 

to

$uncheckedinput = $_GET["userinput"];    
$userinput = $mysqli->real_escape_string($uncheckedinput);

or do I need to do something else?

Question 2

I would also like to use the variable $userinput on the page in non database php code e.g.

<?php if (empty($userinput )) {
echo "no data submitted, try again";
}
?>

Is there anyway the above could be manipulated maliciously e.g. should sanitation be used or is it not really needed and if so, how would I do this? I tried using :

mysqli_real_escape_string($mysqli, $userinput);

but this left me with an output like "userdata /'" if the data was manipulated to include a ' in the url.

Question 3

$userinput= $_GET["userinput"]; 

Should I be using ' or " in this line?

Any help would be appreciated and code examples greatly appreciated :)

  • 写回答

0条回答 默认 最新

    报告相同问题?

    悬赏问题

    • ¥15 求.net core 几款免费的pdf编辑器
    • ¥20 SQL server表计算问题
    • ¥15 C# P/Invoke的效率问题
    • ¥20 thinkphp适配人大金仓问题
    • ¥20 Oracle替换.dbf文件后无法连接,如何解决?(相关搜索:数据库|死循环)
    • ¥15 数据库数据成问号了,前台查询正常,数据库查询是?号
    • ¥15 算法使用了tf-idf,用手肘图确定k值确定不了,第四轮廓系数又太小才有0.006088746097507285,如何解决?(相关搜索:数据处理)
    • ¥15 彩灯控制电路,会的加我QQ1482956179
    • ¥200 相机拍直接转存到电脑上 立拍立穿无线局域网传
    • ¥15 (关键词-电路设计)