Mst*_*QKN 3 php mysql sql sql-injection
我正在使用一个简单的cms作为我的网站的后端,我可以更新新闻等.我希望从SQL注入中安全,所以我想知道这段代码是否被认为是安全的,或者我是否可以做些什么来使它更安全:
if($_POST) {
if(isset($_POST['title']) and (isset($_POST['content']) and ($_POST['added']))) {
$title = "'".mysql_real_escape_string($_POST['title'])."'";
$content = "'".mysql_real_escape_string($_POST['content'])."'";
$added = "'".mysql_real_escape_string($_POST['added'])."'";
if(isset($_POST['id']) && $_POST['id']!=''){
$result = mysql_query("UPDATE news SET title = ".$title.", added =".$added.", content = ".$content." WHERE id = ".$_POST['id']);
$msg = "News Updated Successfully";
}else{
$result = mysql_query("INSERT INTO news (title, content, added) values($title, $content, $added)") or die("err0r");
$msg = "News Added Successfully";
}
}
谢谢,祝你有个美好的一天!
你没有消毒 $_POST['id'].
intval()如果ID不是整数(假设ID是int字段),请执行此操作,或者(更好)拒绝处理.
if (!is_numeric($_POST['id'])
die ("Invalid ID");