dsk710351 2012-10-12 17:10
浏览 167
已采纳

SQL注入保护 - 单引号[重复]

Possible Duplicate:
Best way to prevent SQL injection in PHP?

Ive been doing a bit of testing to protect my sites from SQL Injection. I see there are a couple of ways of doing so, Escaping my user inputs, adding slashes, or better yet using parameterized sql statements.

I had this test code..

$q=$_GET["q"];
$game = mysql_query("SELECT * FROM `Games` WHERE `id` = '$q'");
$game = mysql_fetch_array($game);

echo "<h4>ID: ".$game[0]."<br /></h4>name: " . $game[1];

And I tried several SQLi requests and could not get my test page to error, or show any extra data.

But when i changed my sql statement code to this (Removed the single quotes around $q)..

$game = mysql_query("SELECT * FROM `Games` WHERE `id` = $q");

I could perform simple SQLi's and get some results.

So is just wrapping my user inputs in single quotes good enough? Or have i over looked more complex SQLi techniques?

  • 写回答

3条回答 默认 最新

  • dozr13344 2012-10-12 17:39
    关注

    Try this input:

    abc' OR id <> '

    it will lead to following statement:

    "SELECT * FROM `Games` WHERE `id` = 'abc' OR id <> ''"

    That would return all games instead of only one. If your page allows to show the whole result, then we would definitely see too much...

    The way out is to use PDO with prepared statements, are at least the mysqli_real_escape_string() function before inserting the user input into the SQL statement.

    SQL-Injection can do a lot more, in the worst case you can even get control over the server. Have a look at this SQL Injection Cheat Sheet

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 这个复选框什么作用?
  • ¥15 单通道放大电路的工作原理
  • ¥30 YOLO检测微调结果p为1
  • ¥20 求快手直播间榜单匿名采集ID用户名简单能学会的
  • ¥15 DS18B20内部ADC模数转换器
  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决