douchen7555 2013-12-16 11:30
浏览 31
已采纳

如何通过url重写安全地传递php中的变量?

i have a list of linked thumbnails. Each thumbnail has a link with one variable.

<a href="index.php?id=1"><img src="thumb1.jpg">
<a href="index.php?id=2"><img src="thumb2.jpg">

etc...

now, i've updated site to use url rewriting. Idea is that i have links like this

<a href="gallery/?id=1"><img src="thumb1.jpg">
<a href="gallery/?id=2"><img src="thumb2.jpg">

or something simillar.

On the landing page, i use $id to execute MySQL query and show all pictures from gallery with that id.

$pictures = mysql_query("SELECT * FROM t_gallery where id=$id",$db);

Can it be done, and main thing, how can i prevent that passing id poses a security threat?

Cheers, Aleks

  • 写回答

3条回答 默认 最新

  • dpruwm6206 2013-12-16 11:34
    关注

    The url-rewriting part does not itself really introduce any new security-threats, the issue is the usage of mysql_* functions (which are deprecated) and not escaping the $id request-variable.

    If you are scared of SQL-Injections (as one should be), either escape the $id variable before using it in the query or rather use prepared statements (and then switch to either mysqli or PDO, which you should do in any case cause of mysql_* being deprecated!).

    Always validate and escape anything that you are about to use in a database query.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

悬赏问题

  • ¥15 如何用stata画出文献中常见的安慰剂检验图
  • ¥15 c语言链表结构体数据插入
  • ¥40 使用MATLAB解答线性代数问题
  • ¥15 COCOS的问题COCOS的问题
  • ¥15 FPGA-SRIO初始化失败
  • ¥15 MapReduce实现倒排索引失败
  • ¥15 ZABBIX6.0L连接数据库报错,如何解决?(操作系统-centos)
  • ¥15 找一位技术过硬的游戏pj程序员
  • ¥15 matlab生成电测深三层曲线模型代码
  • ¥50 随机森林与房贷信用风险模型