doubei5114 2014-04-12 19:11
浏览 63

这是一种防止sql注入的安全方法吗?

I need some opinions about my php coding. I'm specially curious if this is safe against sql injections. Apparently it seems to be, but I might be wrong.

And what do you think of this "style" of coding, as in, is it acceptable or really bad practice ?

$validinputs = array(1,9,21,'a','b');

if(in_array($_GET['search'], $validinputs))
{
  $queryfilter = " = " . $_GET['search'];
}
else
{
  $queryfilter = "IS NOT NULL";
}

(...)

$query = "SELECT * FROM `table` WHERE `field` {$queryfilter}";

Thanks!

EDIT: In this case i compare with $validinputs because these are the only valid search terms for that field, any other search term would return nothing.

  • 写回答

2条回答 默认 最新

  • dsmlf1207915 2014-04-12 19:15
    关注

    Ideally, you'd use stored procedures and your query would look like so...

    $query = "call find_in_table('" . $_GET['search'] . "')";

    ... but since you have a list of acceptable inputs and are very strictly filtering them before passing them into a query string, I would say you're quite safe from SQL injection and using a stored procedure would be a performance enhancement for you more so than a security feature.

    评论

报告相同问题?

悬赏问题

  • ¥15 phython路径名过长报错 不知道什么问题
  • ¥15 深度学习中模型转换该怎么实现
  • ¥15 HLs设计手写数字识别程序编译通不过
  • ¥15 Stata外部命令安装问题求帮助!
  • ¥15 从键盘随机输入A-H中的一串字符串,用七段数码管方法进行绘制。提交代码及运行截图。
  • ¥15 TYPCE母转母,插入认方向
  • ¥15 如何用python向钉钉机器人发送可以放大的图片?
  • ¥15 matlab(相关搜索:紧聚焦)
  • ¥15 基于51单片机的厨房煤气泄露检测报警系统设计
  • ¥15 Arduino无法同时连接多个hx711模块,如何解决?