SQL Injection Prevention Using Error Page
Possible Duplicate:
Best way to stop SQL Injection in PHP
I am curious what is the best way to prevent SQL injections through URL parameters - for example if the user visited http://mydomain.com/info.php?id='50
I am told the above URL with the parameter can allowed Brutal SQL injections, so what exactly is the best way of preventing this from happening?
Would sending the user to an error page when "or die" takes place prevent these SQL injection?
您应该查看OWASP SQL注入预防备忘单https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet。
$id = (string) $_GET['id'];
if(ctype_digit($id) === false)
{
echo 'You wanted to try brutal SQL injection! You will die now!';
die();
}
这取决于情况的数量,因此提供更清晰的问题。
链接地址: http://www.djcxy.com/p/93704.html上一篇: 这是通过PDO使用SELECT的安全方式
下一篇: SQL注入预防使用错误页面