当前位置: 首页 » php

Do I have to guard against SQL injection if I used a dropdown?

I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection. However, does this also apply to a form where the only input is from a dropdown(s) (see below)? I'm saving the $_POST['size'] to a Session which is then used throughout the site to query the various databases (with a mysqli Select query) and any SQL injection would definitel

2018-06-05 06:41:47

如果我使用下拉菜单,是否必须防范SQL注入?

我明白,您绝不应该信任来自表单的用户输入,主要是由于SQL注入的可能性。 但是,这是否也适用于唯一输入来自下拉菜单的形式(请参见下文)? 我将$_POST['size']到Session中,然后在整个站点中使用它来查询各种数据库(使用mysqli Select查询),并且任何SQL注入都肯定会损害(可能丢弃)它们。 没有区域用于输入查询数据库的类型用户输入,只有下拉(s)。 <form action="welcome.php" method="post"> <

2018-06-05 06:41:47

How to build a tree view with PHP / SQL?

What's the best way to: Get the data from the db using a single query Loop through the results building eg a nested unordered list My table has id , name and parent_id columns. Here's an update to my last answer, with a counter that gives each ul a nesting 'level' class, and some comments. Could anyone suggest how to adapt this to use table rows, without nesting, but wit

2018-06-05 06:32:30

如何使用PHP / SQL构建树视图?

什么是最好的方法: 使用单个查询从数据库获取数据 循环遍历结果构建,例如嵌套的无序列表 我的表有id , name和parent_id列。 这是对我最后一个答案的更新,有一个计数器给每个ul嵌套'级别'类和一些评论。 任何人都可以建议如何适应这个使用表行,没有嵌套,但有一些类编号层次结构的CSS / JS钩? <? // // Get the data // include_once("inc/config.php"); $query = "SELECT c.* FROM cate

2018-06-05 06:32:29

Can't see how my code can be SQL injected but apparently it can?

This question already has an answer here: Why shouldn't I use mysql_* functions in PHP? 14 answers (My implementation of MySQL uses # to denote comments, not // ). Here is how a user could get all of your products, active or not: &scatid=1059' UNION ALL SELECT * from products # Or an even easier way: &scatid=1059' OR 1=1 # For each example, imagine what the query would then

2018-06-05 06:28:22

无法看到我的代码如何被SQL注入,但显然它可以?

这个问题在这里已经有了答案: 为什么我不应该在PHP中使用mysql_ *函数? 14个答案 (我的MySQL实现使用#来表示注释,而不是// )。 以下是用户如何获取所有产品的信息: &scatid=1059' UNION ALL SELECT * from products # 或者更简单的方法: &scatid=1059' OR 1=1 # 对于每个示例,想象查询将如下所示: SELECT * FROM products WHERE sub_category='1059' OR 1=1 # AND active = 'Y' ORDER BY id DESC

2018-06-05 06:28:22

SQL injection attack with php

this is part of an assignment for my computer security class, so I'm not looking for specific answers, just some help. We were given a faulty program (in php) that controls a sql database (a bank account) and we have to find a way to create a SQL injection attack that will let us log into an account without knowing it's ID ahead of time. I'm pretty sure I know where the vulnerabil

2018-06-05 06:27:20

SQL注入攻击与PHP

这是我的计算机安全类的一部分,所以我不在寻找特定的答案,只是一些帮助。 我们给了一个控制sql数据库(一个银行账户)的错误程序(在php中),我们必须找到一种方法来创建一个SQL注入攻击,让我们提前登录到一个账户而不知道它的ID。 我很确定我知道这个漏洞在哪里,但我似乎无法让我的攻击行得通。 有问题的代码(有点长,但唯一重要的部分是在第一部分): <html><head><title>FrobozzCo Community

2018-06-05 06:27:20

Idiorm pdo prepared statement

I want to use the following idiorm (orm): https://github.com/j4mie/idiorm. It features following: Built on top of PDO. Uses prepared statements throughout to protect against SQL injection attacks. Now, in https://github.com/j4mie/idiorm/blob/master/idiorm.php I don't see the usage of prepared statament so my question is-> if I use the following code, am I using orm+pdo prepared sta

2018-06-05 06:22:10

Idiorm pdo准备了声明

我想使用下面的idiorm(orm):https://github.com/j4mie/idiorm。 它具有以下特点: 建立在PDO之上。 使用准备好的语句来防止SQL注入攻击。 现在,在https://github.com/j4mie/idiorm/blob/master/idiorm.php我没有看到准备好的使用情况,所以我的问题是 - >如果我使用下面的代码,我使用orm + pdo准备好了我的sql注入攻击保护的语句: require_once 'idiorm.php'; ORM::configure(array( 'connection_string'

2018-06-05 06:22:09

Trouble addressing sql injection with PDO

tl;dr: Rewrote database class using mysql to use PDO instead to make use of prepared statements, but running sqlmap from Kali still extracts tables from the website's database. How? Longer version: It came to my attention that one of our websites at work has a SQL injection vulnerability. So I got to looking into it, ran sqlmap from Kali, and it proceeded to extract all the tables from

2018-06-05 06:21:08

用PDO解决SQL注入问题

tl; dr:使用mysql重写数据库类以使用PDO来代替使用预处理语句,但从Kali运行sqlmap仍会从网站数据库中提取表。 怎么样? 更长的版本: 我注意到我们的一个网站在工作中存在SQL注入漏洞。 所以我开始研究它,从Kali运行sqlmap,然后从该网站的数据库中提取所有表。 看着它,网站使用的是旧的mysql api,经过一番研究,我决定改用PDO来利用预先准备好的语句来解决这个漏洞。 所以我主要重写了我们的数据库类并调用它来使

2018-06-05 06:21:07

plain mysql prepare statement prevent injection attack?

Everyone knows that PDO prepare statement helps us prevent SQL injection attack. How about this: function userQuery($username){ $mysqli->multi_query(" PREPARE stmt1 FROM 'SELECT * FROM user WHERE username=?'; SET @a = '$username'; EXECUTE stmt1 USING @a "); } userQuery('Kelvin'); Is this as safe as mysqli or PDO prepare statement? I'm asking this questi

2018-06-05 06:20:05

纯mysql预备语句防止注入攻击?

大家都知道,PDO准备声明可以帮助我们防止SQL注入攻击。 这个怎么样: function userQuery($username){ $mysqli->multi_query(" PREPARE stmt1 FROM 'SELECT * FROM user WHERE username=?'; SET @a = '$username'; EXECUTE stmt1 USING @a "); } userQuery('Kelvin'); 这是否像mysqli或PDO准备声明一样安全? 我问这个问题是因为我在wiki上发现了这些句子: 已准备好的语句对SQL注入

2018-06-05 06:20:05

PDO, Prepared statements and SQL

After reading several articles about PDO and MySQLi prepared statements, also already read tens of questions concerning prepared statements and SQL injection on stackoverflow.com , people were saying that with the correct use of prepared statements there's no need anymore to escape entries from users, But I think I am still worried having security concerns. 1st Question: If I still sanitize

2018-06-05 06:19:04

PDO,Prepared语句和SQL

在阅读了几篇关于PDO和MySQLi准备语句的文章之后,他们也已经阅读了关于stackoverflow.com上的准备好的语句和SQL注入的几十个问题,人们说,正确使用准备好的语句不再需要从用户转义条目,但是我想我仍然担心有安全问题。 第一个问题:如果我在准备好的语句中使用reg-exp和escape之前仍然使用它们来处理条目,那么就像我过度使用它? 第二个问题:如果准备好的陈述正在做有关SQL注入的工作 - 从人们的意见和答案 - 为什么仍

2018-06-05 06:19:03

prepare() prepared statement (not PDO) prevent SQL

PDO ist not supported in target system I'm working on and though I seek a solution for preventing SQL-Injection using PHP 5.1.x on a PostGres-DB 8.2+ . There is at the moment no chance of switching to PDO. My solution at the moment is pg_prepare-prepared statement: // Trying to prevent SQL-Injection $query = 'SELECT * FROM user WHERE login=$1 and password=md5($2)'; $result = pg_prepare($d

2018-06-05 06:18:02

准备()准备语句(不是PDO)阻止SQL

我正在研究的目标系统中不支持PDO ,尽管我正在寻找一种在PostGres-DB 8.2+上使用PHP 5.1.x防止SQL注入的解决方案。 目前没有机会切换到PDO。 目前我的解决方案是pg_prepare-prepared声明: // Trying to prevent SQL-Injection $query = 'SELECT * FROM user WHERE login=$1 and password=md5($2)'; $result = pg_prepare($dbconn, "", $query); $result = pg_execute($dbconn, "", array($_POST["user"], $_POST["password"

2018-06-05 06:18:01

Do PHP PDO prepared statements need to be escaped?

On the PDO::Prepare page it states, "and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters" Knowing this, is there a PHP function like mysql_real_escape_string() that takes care of escaping stings for PDO? Or does PDO take care of all escaping for me? EDIT I realize now that I asked the wrong question. My question really was, "

2018-06-05 06:17:00

PHP PDO准备的语句是否需要转义?

在PDO :: Prepare页面上, “并通过不需要手动引用参数来帮助防止SQL注入攻击” 了解这一点,是否有像mysql_real_escape_string()这样的PHP函数来处理PDO的转义响应? 还是PDO照顾所有逃避我? 编辑 我现在意识到我提出了错误的问题。 我的问题确实是,“PDO为我照顾什么?” 我现在认识到,这些答案确实只是避免了引号的需要。 但我仍然需要对传递给execute函数的值进行其他任何PHP清理调用。 如htmlentities(),s

2018-06-05 06:16:59