douchen7555
2013-12-16 11:30 阅读 27
已采纳

如何通过url重写安全地传递php中的变量?

i have a list of linked thumbnails. Each thumbnail has a link with one variable.

<a href="index.php?id=1"><img src="thumb1.jpg">
<a href="index.php?id=2"><img src="thumb2.jpg">

etc...

now, i've updated site to use url rewriting. Idea is that i have links like this

<a href="gallery/?id=1"><img src="thumb1.jpg">
<a href="gallery/?id=2"><img src="thumb2.jpg">

or something simillar.

On the landing page, i use $id to execute MySQL query and show all pictures from gallery with that id.

$pictures = mysql_query("SELECT * FROM t_gallery where id=$id",$db);

Can it be done, and main thing, how can i prevent that passing id poses a security threat?

Cheers, Aleks

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

3条回答 默认 最新

  • 已采纳
    dpruwm6206 dpruwm6206 2013-12-16 11:34

    The url-rewriting part does not itself really introduce any new security-threats, the issue is the usage of mysql_* functions (which are deprecated) and not escaping the $id request-variable.

    If you are scared of SQL-Injections (as one should be), either escape the $id variable before using it in the query or rather use prepared statements (and then switch to either mysqli or PDO, which you should do in any case cause of mysql_* being deprecated!).

    Always validate and escape anything that you are about to use in a database query.

    点赞 评论 复制链接分享
  • doufu1950 doufu1950 2013-12-16 11:34

    Please be aware of SQL injection vulnerabilities and make sure you sanitize any user input or consider using prepared statements.

    点赞 评论 复制链接分享
  • dsgwii4867 dsgwii4867 2013-12-16 11:58

    For a particular implementation I leave this encapsulated piece of code

    function ControllerAction($id=null) {
      // I like to formalize on entry; this is supposed to be an absolute integer and nothing else
      $id = abs((int)$id);
      $q = 'SELECT * FROM t_gallery where id = ?'; // placeholder
      // use PDO, it's safe and very comfortable
      $pdo = get_pdo_connection($whatever_you_need);
      // prepare it because it has placeholders, and because there is external input comming in
      $stmt = $pdo->prepare($q);
      // execute it
      $stmt->execute(array($id)); // read the reference documentation to understand this clearly
      // now the stmt object holds the results
      return $stmt->fetchObject();// whatever you like here, I like to make a DAO
    }
    

    In this example that simple incomming parameter has already been prepared for use but I still use prepared statements for consistency (my own code convention)

    Alert: This uses some form of half-assed MVC/MVP/MVVM (I'm not sure anymore) type architecture

    • you could actually make your href URLs like this if you are using Url Rewriting to further implement your SEO links

      protocol://host/controller/action/getParam1/getParam2
      // usage
      http://yourhost/browsethumbs/aNumber
      
    点赞 评论 复制链接分享

相关推荐