doufei0933 2013-05-29 20:23
浏览 17
已采纳

htaccess中的mod_rewrite有助于防止注入吗?

I'm working on identifying and fixing SQL injection holes. I've made the conversion to pdo/prepared statements in a number of places.

However, we have one page that looks like this:

www.site.com/domain/products/12345/description-of-the-product

In htaccess, this is rewritten to:

www.site.com/domain/product.php?id=12345

The htacess looks like this:

RewriteRule ^(.*)/products/([0-9]+)/([^/\.]+)/?$ /$1/product.php?id=$2 [L]

So, here's my question: Since the url is being rewritten with mod_rewrite, which is only matching against ingtegers, is this some protection against sql injections? If you try anything else in the URL besides an integer, the user just gets a 404 error since the page doesn't exist and the mod_rewrite didn't get activated?

Thanks in advance.

  • 写回答

4条回答 默认 最新

  • duanlu1279 2013-05-29 20:29
    关注

    No it does not because a malicious user could simply go to the URL

    www.site.com/domain/product.php?id=123'; DROP TABLE products;

    and bypass your mod_rewrite entirely. Although only integers will be rewritten, the URL that they are being rewritten to use is still live and accessible. Any time you are making an SQL query you should sanitize every input going into your query at that point using PDO etc.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 使用ue5插件narrative时如何切换关卡也保存叙事任务记录
  • ¥20 软件测试决策法疑问求解答
  • ¥15 win11 23H2删除推荐的项目,支持注册表等
  • ¥15 matlab 用yalmip搭建模型,cplex求解,线性化处理的方法
  • ¥15 qt6.6.3 基于百度云的语音识别 不会改
  • ¥15 关于#目标检测#的问题:大概就是类似后台自动检测某下架商品的库存,在他监测到该商品上架并且可以购买的瞬间点击立即购买下单
  • ¥15 神经网络怎么把隐含层变量融合到损失函数中?
  • ¥15 lingo18勾选global solver求解使用的算法
  • ¥15 全部备份安卓app数据包括密码,可以复制到另一手机上运行
  • ¥20 测距传感器数据手册i2c