duanduan8439 2016-04-20 10:53
浏览 28
已采纳

尽管没有准备好,这个SQL语句是否可以安全地防止注入

I know you are supposed to prepare all SQL statements where the user has influence over, this question is more to see if you can also have a SQL query where the user can change but you handle the errors differently.

The code which is SQL injectable:

if(isset($_GET['delete']) && (int)$_GET['delete'] && is_numeric($_GET['delete'])){
    $query = $handler->query('SELECT * FROM portfolio WHERE id =' . $_GET['delete']);
}
else{
    echo'Error';
}

Would the SQL query be safe from injection due to the if statement around it or is there still some way of injecting it?

This is purely for research and it is obviously not in any real live website.

This is how the code looks when it is prepared just to show that I am not asking how to prepare:

if(isset($_GET['delete']) && (int)$_GET['delete'] && is_numeric($_GET['delete'])){
    $query = $handler->prepare('SELECT * FROM portfolio WHERE id = :id');
    $query->execute([
        ':id' => $_GET['delete']
    ]);
}
else{
    echo'Error';
}
  • 写回答

1条回答 默认 最新

  • douduanque5850 2016-04-20 10:59
    关注

    Yes, this particular code snippet is safe.

    I wonder what useful conclusion you ever can draw from this answer.

    Also, to answer some statements of yours.

    you are supposed to prepare all SQL statements where the user has influence over,

    This is one of the worst delusions connected to SQL injection problem. In fact, you are only considered safe if all 100% of your queries are parametrized, and you never ever bother yourself with a question "whether the data I am dealing with is one a user has influence over".

    but you handle the errors differently.

    this handling should be never ever connected to each other. If you want to verify the input parameters - it's a good idea. But by no means your SQL handling code should depend on the result of such a verification. It's just different matters. And in a properly organized code your input parameters verification never sit in the same file with SQL handling code. And the latter knows absolutely nothing of the fact of verification. Or any changes that has been done to such a verification (for example it allowed only numers at first and then changed to accept an arbitrary string). An SQL handling code should be able to run safe on any data provided.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥40 复杂的限制性的商函数处理
  • ¥15 程序不包含适用于入口点的静态Main方法
  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来