douyue1998 2013-09-26 19:06
浏览 47
已采纳

用户在输入/文本区域中使用单引号时未处理的数据

I wasn't too sure on how to word the title, so I'll try my best to explain here.

I've created a register system and came across a bug that I never took into consideration when developing the system. When a user types in the input boxes or a textarea, if they use single quotations the data won't be sent to the database as it will be closing the query.

This is my query code:

mysqli_query($uys, "INSERT INTO users SET bandname='$bandname', genre='$genre', location='$location', bio='$bio', password='$password', email='$email', ip='$ip'");

Of course if they don't use single quotations, there will be no error. They can use double quotes fine.

My variables are like this:

$bandname = $_POST['bandname'];
$genre = $_POST['genre'];
$location = $_POST['location'];

What is a way around this? I'm not the best with PHP, still learning so your help will be amazing and will help me lots.

Sorry if this wasn't well explained, if you're confused on what I mean I'll try my best to explain it better

  • 写回答

3条回答 默认 最新

  • drl6054 2013-09-26 21:31
    关注

    This is a serious issue. What you face here is a wide open SQL INJECTION

    You concatenate a query from unsanitized strings - this might lead to any kinds of troubles, where the smallest is getting your whole database deleted...

    Don't concatenate query strings without using proper sanitization! In this case, mysqli_real_escape_string is the proper solution.

    The most recommendable (is that a word?) solution is using prepared statements wherever possible:

    $stmt = $mysqli->prepare("INSERT INTO users SET bandname=?, genre=?, location=?, bio=?, password=?, email=?, ip=?");

$stmt->bind_param("sssssss", $bandname, $genre, $location, $bio, $password, $email, $ip);
$stmt->execute();

    Note: sanitization is still important from a content point of view, to prevent issues like XSS attacks, or Javascript injection to pages...

    (Also, using PDO promises independence of databases too, it is worth checking it out...)

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 微带串馈天线阵列每个阵元宽度计算
  • ¥15 keil的map文件中Image component sizes各项意思
  • ¥30 BC260Y用MQTT向阿里云发布主题消息一直错误
  • ¥20 求个正点原子stm32f407开发版的贪吃蛇游戏
  • ¥15 划分vlan后,链路不通了?
  • ¥20 求各位懂行的人,注册表能不能看到usb使用得具体信息,干了什么,传输了什么数据
  • ¥15 Vue3 大型图片数据拖动排序
  • ¥15 Centos / PETGEM
  • ¥15 划分vlan后不通了
  • ¥20 用雷电模拟器安装百达屋apk一直闪退