Tec*_*eer 4 php mysql sql-injection
我有一个简单的html输入文本框,形式非常简单.此表单的信息表单使用sql字符串传输到mysql数据库.
一切都很有效,除非有人输入"或".我不想限制用户输入的内容.
在对数据库运行查询之前,我应该查找并替换字符串吗?
有一个简单的方法吗?
这是一些代码:
<?php
session_start();
if (empty($_SESSION['user']) && empty($_REQUEST['form'])) //check this code!!1
{
exit;
}
if (isset($_REQUEST['Submit']))
{
//echo "Let's process this form!";
include "config.php";
include "mail.php";
if ($_REQUEST['form'] == "profile")
{//public profile
//print_r($_REQUEST);
//"UPDATE `tims`.`pending_profile` SET `nickname` = 'I Don''t Have One' WHERE `pending_profile`.`id` = 1;";
$sql = "INSERT INTO `tims`.`pending_profile`"
. "(`id`, `nickname`, `location`, `role`, `yog`, `interests`, `favMoment`, `gainThisYr`, `futurePlans`, `bio`) \n"
. "VALUES ('" . $_SESSION['id'] . "', '" . $_REQUEST['nickname'] . "', '" . $_REQUEST['town'] . "', '" . $_REQUEST['role'] . "', '" . $_REQUEST['yog'] . "', '" . $_REQUEST['interests'] . "', '" . $_REQUEST['fav_moment'] . "', '" . $_REQUEST['gain'] . "', '" . $_REQUEST['future'] . "', '" . $_REQUEST['bio'] . "')\n"
. "ON DUPLICATE KEY UPDATE nickname ='" . $_REQUEST['nickname'] . "', location='" . $_REQUEST['town'] . "', role= '" . $_REQUEST['role'] . "', yog='" . $_REQUEST['yog'] . "', interests='" . $_REQUEST['interests'] . "', favMoment='" . $_REQUEST['fav_moment'] . "', gainThisYr='" . $_REQUEST['gain'] . "', futurePlans='" . $_REQUEST['future'] . "', bio='" . $_REQUEST['bio'] . "'\n";
$qry = mysql_query($sql) or die(mysql_error());
//@todo overlay this
//http://flowplayer.org/tools/overlay/index.html
//send mail to moderators
include "vars.php";
$to = $captMail;
$prof = implode("\n", $_REQUEST);
$subject = "Moderation Needed";
$body = $_SESSION['fullname'] . " Has just changed their public profile.\n" .
"Please login here to moderate their changes:\n" .
//"http://team2648.com/OPIS/login.php?page=manage".
"http://www." . $sysurl . "/login.php?page=manage\n" .
"Best,\n" .
"Blake\n\n\n" .
"Click here to accept the profile bleow\n\n" .
"http://www." . $sysurl . "/login.php?page=manage&acceptID=".$_SESSION['id']."\n" .
$prof;
mailer($to, $subject, $body);
$to = $mentorMail;
mailer($to, $subject, $body);
echo "<link href=\"../css/styling.css\" rel=\"stylesheet\" type=\"text/css\" media=\"screen\" />";
echo "<div class =\"widget\" style=\"width:350px\">";
echo "Your changes have been saved, they will not go live until reviewed by a moderator";
echo "<br>";
echo "<a href=\"../\">Click here to continue</a>";
echo "</div>";
}
exit;
}
$sql = "SELECT * FROM `pending_profile` WHERE id ='" . $_SESSION['id'] . "'";
$qry = mysql_query($sql) or die(mysql_error());
$row = mysql_fetch_assoc($qry);
?>
<!--<h3>Use this page to manage your profile information</h3>-->
<h4>Public Profile</h4>
<strong>NOTE:</strong> Fields filled with [NONE] will not show on the website.
<br />
<form id="profile" name="profile" method="get" action="lib/preview.php">
<input type="hidden" value="profile" name="form">
<input type="hidden" value="<?php echo $_SESSION['id']; ?>" name="id">
<table>
<tr>
<td><label for="myname">Hello, My name is:</label><td>
<td><input type="text" readonly="readonly" name="myname" value="<?php echo $_SESSION['firstname']; ?>"/><td>
</tr>
<tr>
<td><label for="nickname">But I like to be called:</label><td>
<td><input type="text" name="nickname" value="<?php echo $row['nickname']; ?>"/><td>
</tr>
<tr>
<td><label for="town">I live in:</label><td>
<td><input type="text" name="town" value="<?php echo $row['location']; ?>"/><td>
</tr>
<tr>
<td><label for="role">My role on the team is:</label><td>
<td><input type="text" name="role" value="<?php echo $row['role']; ?>"/><td>
</tr>
<tr>
<td><label for="yog">I will graduate High School in:</label><td>
<td><input type="text" name="yog" value="<?php echo $row['yog']; ?>"/><td>
</tr>
<tr>
<td><label for="interests">Some of my interests are:</label><td>
<td><input type="text" name="interests" value="<?php echo $row['interests']; ?>"/><td>
</tr>
<tr>
<td><label for="fav_moment">One of my favorite team moments:</label><td>
<td><input type="text" name="fav_moment" value="<?php echo $row['favMoment']; ?>"/><td>
</tr>
<tr>
<td><label for="gain">I would like to gain the following this year:</label><td>
<td><input type="text" name="gain" value="<?php echo $row['gainThisYr']; ?>"/><td>
</tr>
<tr>
<td><label for="future">My future plans include:</label><td>
<td><input type="text" name="future" value="<?php echo $row['futurePlans']; ?>"/><td>
</tr>
<tr>
<td><label for="bio">My Bio:</label><td>
<td><textarea name="bio" ><?php echo $row['bio']; ?></textarea><td>
</tr>
</table>
* All fields are required.
<?php
include "disclaimer.php";
// @todo add js validation of all fields filled in
?>
<br><input type="submit" name="Submit" value=" I Agree, Preview "/>
</form>
Gal*_*len 11
你的代码充满了sql注入的机会.用准备好的陈述查看PDO.或至少mysql_real_escape_string.不要使用你的代码.
也...
不要使用$ _REQUEST.使用适当的全局$ _POST或$ _GET.GET请求不应该更改任何内容,因此您应该使用$ _POST.
在将所有用户输入放入数据库之前,必须使用函数mysql_real_escape_string.
例如:
改变$_REQUEST['nickname']以mysql_real_escape_string($_REQUEST['nickname'])
或者使用预备陈述.
访问数据库时始终使用参数化查询.正如您所做的那样构建动态SQL语句是对SQL注入攻击的邀请(以及您正在看到的错误.)
在PHP中,执行此操作的代码如下所示
$mysqli = new mysqli('localhost', 'my_user', 'my_password', 'world');
$stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)");
$stmt->bind_param('sssd', $code, $language, $official, $percent);
(无耻地从PHP手册中获取).