dongzang7182 2018-08-16 05:09
浏览 103

PHP PDO无法正常工作,仍能sql注入

Thanks for the help everyone, I'm closer. I ended up putting the _GET into the bind instead of setting vars, didn't see a point in that. I wasn't sure which answer to put in the SELECT, so this sample has the '?''. I tried both though. I also changed the bindParam to the sample above (:careerID and ;title). The good news is the injection won't work, but the bad news is I cannot click on the link to view the description. Here is the edited code, again I appreciate any assistance!

$conn = new PDO('mysql:host=XXXX;dbname=XXXX', 'XXXX', 'XXXX');
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    // Leave column names as returned by the database driver
    $conn->setAttribute(PDO::ATTR_CASE, PDO::CASE_NATURAL);
    // Convert Empty string to NULL
    $conn->setAttribute(PDO::ATTR_ORACLE_NULLS, PDO::NULL_EMPTY_STRING);   



$SQL = "SELECT *
          FROM careerapplicationpost,careerapplicationjobdescription 
         WHERE careerapplicationpost.CareerApplicationPostID = '?'
           AND careerapplicationjobdescription.JobDescriptionTitle = '?'";

$sth = $conn->prepare($SQL);
// binding parameters 
$sth->bindParam(':careerId', $_GET['CareerID'], PDO::PARAM_INT, 100);
$sth->bindParam(':title', $_GET['Title'], PDO::PARAM_STR, 100);
  // executing statement
$sth->execute();
$resultSet = $sth->fetchAll();
foreach ( $conn->query($SQL) as $row ) {
        
    
                        
    //setup the postings
    echo "<h2>";
    echo "<a href=\"/careers/view-career.php?CareerID=$row[CareerApplicationPostID]&Title=$row[JobDescription]\">$row[JobDescriptionDisplayTitle]</a><br />"; 
    echo "</h2><hr />";
    echo "<br />";
    echo $row['Location'];
    echo ", &nbsp;&nbsp;";
    echo $row['FullTimePartTime'];
    echo  "<div class=\"postedon\">Posted on ";
    echo $row['PostedDate'];
    echo "</div>";
    echo "<br />";echo "<br />";
    echo "<strong>Summary:</strong>  ";
    echo $row['JobDescriptionSummary'];
    echo "<br />";echo "<br />";
    echo $row['JobDescriptionEdited'];
    echo "<div class=\"linebreak\">&nbsp;</div>";
    echo "<a href=\"/careers/files/DigiEmploymentApp.pdf\">Please fill out an application here.</a><br />";
    echo "<div class=\"clear\"></div>";
    echo "<hr />";    
}

    

if (!$row['CareerApplicationPostID'])
{
    
header("Location:index.php");
    exit;
    }
$conn = null;                     

</div>
  • 写回答

3条回答 默认 最新

  • dousi2029 2018-08-16 05:17
    关注

    You can easily fix your code:

    $SQL = "SELECT *
          FROM careerapplicationpost,careerapplicationjobdescription 
         WHERE careerapplicationpost.CareerApplicationPostID = :careerId
           AND careerapplicationjobdescription.JobDescriptionTitle = :title";

$sth = $conn->prepare($SQL);
// binding parameters 
$sth->bindParam(':careerId', $careerId, PDO::PARAM_INT);
$sth->bindParam(':title', $title, PDO::PARAM_STR, 100);

    Problem was that you passed a query with values already passed in the string variable $SQL because you used variable inside of "".

    评论

报告相同问题?

悬赏问题

  • ¥15 装 pytorch 的时候出了好多问题,遇到这种情况怎么处理?
  • ¥20 IOS游览器某宝手机网页版自动立即购买JavaScript脚本
  • ¥15 手机接入宽带网线,如何释放宽带全部速度
  • ¥30 关于#r语言#的问题:如何对R语言中mfgarch包中构建的garch-midas模型进行样本内长期波动率预测和样本外长期波动率预测
  • ¥15 ETLCloud 处理json多层级问题
  • ¥15 matlab中使用gurobi时报错
  • ¥15 这个主板怎么能扩出一两个sata口
  • ¥15 不是,这到底错哪儿了😭
  • ¥15 2020长安杯与连接网探
  • ¥15 关于#matlab#的问题:在模糊控制器中选出线路信息,在simulink中根据线路信息生成速度时间目标曲线(初速度为20m/s,15秒后减为0的速度时间图像)我想问线路信息是什么