当前位置: 首页 » php

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's because the user can input something like value'); DROP TABLE table;-- value'); DROP TABLE table;-- , an

2018-06-05 06:15:58

我如何防止PHP中的SQL注入?

如果用户输入未经修改而插入到SQL查询中,则该应用程序容易受到SQL注入的影响,如下例所示: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); 这是因为用户可以输入类似value'); DROP TABLE table;--东西value'); DROP TABLE table;-- value'); DROP TABLE table;-- ,查询变为: INSERT INTO `table` (`column`) VALUES('value'); DRO

2018-06-05 06:15:57

Secure against SQL Injection

Possible Duplicate: Best way to prevent SQL Injection in PHP I just found that my website is vunerable. Since it's connected to a DB and have functions like: Register, Change Password, Notices, etc... and SUPOSING it's fully vulnerable. What should I look for into the code in order to start making it safe? I mean, I did some researches and everywhere, everyone says different thi

2018-06-05 06:14:56

防止SQL注入

可能重复: 防止PHP中的SQL注入的最佳方法 我刚刚发现我的网站很可靠。 由于它连接到一个数据库,并具有如下功能:注册,更改密码,通知等...和SUPOSING它是完全脆弱的。 为了开始安全,我应该在代码中寻找什么? 我的意思是,我做了一些研究,到处都是,每个人都说不同的安全问题。 “使用PDO”。 “使用mysql_real_escape_string。” “使用addslashes。” 我究竟应该寻找什么? "$_POST" and "$_GET" variables??

2018-06-05 06:14:55

Make this query safe?

Possible Duplicate: Best way to stop SQL Injection in PHP I have seen some of examples that use something called a PDO to make a query safe from sql-infection, or others that use real_escape, but they all seem to be incomplete or assume some knowledge. So I ask, take this simple update query and make it safe from sql-injection. function updateUserName($id,$first,$last) { $qry = 'UPDATE

2018-06-05 06:13:54

使这个查询安全吗?

可能重复: 在PHP中停止SQL注入的最佳方法 我已经看到一些使用称为PDO的示例来使sql-infection或其他使用real_escape的查询变得安全,但它们似乎都不完整或假设一些知识。 所以我问,采取这个简单的更新查询,并从SQL注入安全。 function updateUserName($id,$first,$last) { $qry = 'UPDATE user SET first = "'.$first.'", last = "'.$last.'" WHERE id = '.$id; mysql_query($qry) or die(mysql_error()); }

2018-06-05 06:13:53

MySQL Injection by LIKE operator

This question already has an answer here: How can I prevent SQL injection in PHP? 28 answers Any operator can be injected without binding. $_POST['search'] = "1%'; DROP TABLE myTable LIKE '%"; Would make .... AND tags,title,text LIKE '%1%'; DROP TABLE myTable LIKE '%%' Read on how to bind parameters. Of course this can be injected, you need to sanitize your input. Right now you are ta

2018-06-05 06:12:52

LIKE运算符的MySQL注入

这个问题在这里已经有了答案: 我如何防止PHP中的SQL注入? 28个答案 任何操作员都可以无需绑定地注入。 $_POST['search'] = "1%'; DROP TABLE myTable LIKE '%"; 将使 .... AND tags,title,text LIKE '%1%'; DROP TABLE myTable LIKE '%%' 阅读如何绑定参数。 当然这可以注入,你需要清理你的输入。 现在,您正在使用原始数据并将其插入到SQL语句中。 你应该通过某种数据清理来运行你的POST数据,比如mysql_real_

2018-06-05 06:12:51

php mysqli insert variables query

This question already has an answer here: How can I prevent SQL injection in PHP? 28 answers Hello this is for anyone who might still need accomplish what was asked in original question. A reason why someone possibly might want to not use prepared statements--from: http://www.php.net/manual/en/mysqli.quickstart.statements.php "Using a prepared statement is not always the most effici

2018-06-05 06:11:50

php mysqli插入变量查询

这个问题在这里已经有了答案: 我如何防止PHP中的SQL注入? 28个答案 对于任何可能仍需要完成原始问题中提出的问题的人,你好。 某人可能不想使用预先准备的语句的原因 - 来自:http://www.php.net/manual/en/mysqli.quickstart.statements.php “使用准备好的语句并不总是最有效的执行语句的方式,只执行一次准备好的语句会导致比未准备好的语句更多的客户端 - 服务器往返。” //you will want to clean variables prope

2018-06-05 06:11:49

Protection against SQL injection

This question already has an answer here: How can I prevent SQL injection in PHP? 28 answers You may want to look into parameterized queries for querying the database. This eliminates SQL injection attacks. I work primarily with postgreSQL, and the format for doing such a query would look something like this: $query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2'; $p

2018-06-05 06:09:46

防止SQL注入

这个问题在这里已经有了答案: 我如何防止PHP中的SQL注入? 28个答案 您可能需要查看参数化查询以查询数据库。 这消除了SQL注入攻击。 我主要使用postgreSQL工作,做这样的查询的格式看起来像这样: $query = 'select * from Benutzer where Benutzername = $1 and Passwort = $2'; $params = array($Benutzer, md5($PW)); $results = pg_query_params($query, $params); 大多数数据库都有一个类似于这种功能的功能。

2018-06-05 06:09:46

PHP MySQL $

Possible Duplicate: Best way to stop SQL Injection in PHP If I were to use the $_GET function to retrieve a variable from the URL how can I make it hack proof? Right now I just have addSlashes, what else should I add? $variable1 = addslashes($_GET['variable1']); //www.xxxxx.com/GetTest.php?variable1=xxxx The first and foremost rule with ANY input, not just $_GET but even with $_POST, $_FIL

2018-06-05 06:08:44

PHP MySQL $

可能重复: 在PHP中停止SQL注入的最佳方法 如果我要使用$ _GET函数从URL中检索变量,我该如何使它成为黑客证明? 现在我只有addSlashes,我应该添加什么? $variable1 = addslashes($_GET['variable1']); //www.xxxxx.com/GetTest.php?variable1=xxxx 使用ANY输入的首要规则,不仅仅是$ _GET,即使使用$ _POST,$ _FILES和从磁盘读取的或从流中读取的任何内容都应该始终验证。 现在要更详细地回答你的问题,你有这个世

2018-06-05 06:08:44

Am I safe from a mysql injection?

This question already has an answer here: How can I prevent SQL injection in PHP? 28 answers I think that you are confusing two security issues: SQL injection and cross-site scripting (XSS). A website is vulnerable to SQL injection when improperly sanitized user input is used in an SQL query that is sent to the SQL database. This code, for example, introduces an SQL injection vulnerabilit

2018-06-05 06:07:42

我是否从mysql注入安全?

这个问题在这里已经有了答案: 我如何防止PHP中的SQL注入? 28个答案 我认为你混淆了两个安全问题:SQL注入和跨站点脚本(XSS)。 如果在发送到SQL数据库的SQL查询中使用不正确的清理过的用户输入,则网站容易受到SQL注入攻击。 例如,该代码引入了SQL注入漏洞: mysql_query("INSERT INTO postmessages (postmessage) VALUES ('" . $_POST['postmessage'] . "')"); 这个问题很容易通过使用像mysql_real_escape_string

2018-06-05 06:07:42

how to insert into mysql using Prepared Statement with php

This question already has an answer here: How can I prevent SQL injection in PHP? 28 answers sample.html <form action="sample.php" method="POST"> <input name="sample" type="text"> <input name="submit" type="submit" value="Submit"> </form> sample.php <?php if (isset($_POST['submit'])) { $mysqli = new mysqli('localhost', 'user', 'password', 'mysampledb');

2018-06-05 06:06:40

如何使用Prepared Statement和php插入到mysql中

这个问题在这里已经有了答案: 我如何防止PHP中的SQL注入? 28个答案 sample.html <form action="sample.php" method="POST"> <input name="sample" type="text"> <input name="submit" type="submit" value="Submit"> </form> sample.php <?php if (isset($_POST['submit'])) { $mysqli = new mysqli('localhost', 'user', 'password', 'mysampledb'); /* check connection */

2018-06-05 06:06:40

PHP MySQL injection example?

This question already has an answer here: How can I prevent SQL injection in PHP? 28 answers One of the most common examples is this query: ' or '1'='1 If you enter this as the username and password into some unsanitized login input the query changes like so: Original: SELECT * FROM USERS WHERE USER='' AND PASS=''; Modified: SELECT * FROM USERS WHERE USER='' or '1'='1' AND PASS='' or '1'=

2018-06-05 06:05:38

PHP的MySQL注入示例?

这个问题在这里已经有了答案: 我如何防止PHP中的SQL注入? 28个答案 这个查询最常见的例子之一是: ' or '1'='1 如果你输入这个作为用户名和密码到一些unsanitized登录输入查询更改如下所示: Original: SELECT * FROM USERS WHERE USER='' AND PASS=''; Modified: SELECT * FROM USERS WHERE USER='' or '1'='1' AND PASS='' or '1'='1'; 这会导致它寻找的每个东西都是真实的,因为1总是等于1.这种方法的问题是它不允

2018-06-05 06:05:38