那些遇到过的问题

防止SQL注入

-1 php mysql forms sql-injection

可能的重复:
在PHP中停止SQL注入的最佳方法
在PHP中,当向数据库提交字符串时,我应该使用htmlspecialchars()处理非法字符还是使用正则表达式?

昨天我问了一个关于脚本不工作的问题,而我最终自己解决了这个问题.有人谈论SQL注入风险.

所以我今天要问的是,使用下面插入的代码,如何防止SQL注入?

所以任何指导的建议.我知道我可以在互联网上阅读关于SQL注入的信息,但是有很多相互矛盾的文章,我不知道哪个是正确的.

这是代码,这是所有放在它自己的页面中让我们说'form-process.php'然后表单将数据提交到例如 

<?
session_start(); 

$_SESSION['Title'] = stripslashes($_REQUEST['Title']); 
$_SESSION['ShortTitle'] = stripslashes($_REQUEST['Title']); 
$_SESSION['Category'] = stripslashes($_REQUEST['Category']); 
$_SESSION['Story'] = stripslashes($_REQUEST['Story']);
$_SESSION['FrontPage'] = stripslashes($_REQUEST['FrontPage']);
$_SESSION['imagefilename'] = ($_FILES['image']['name']); 

if (empty($_REQUEST['Title'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=0"); 
exit; 
} elseif (empty($_REQUEST['ShortTitle'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=1"); 
exit; 
} elseif (strlen($_REQUEST['Category']) < 1) {
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=2"); 
exit;
} elseif (empty($_REQUEST['Story'])) { 
header("Location: ". $_SERVER['HTTP_REFERER'] ."?message=3"); 
exit;  
} else { 

include("settings.php"); 
include("dbconnect.php"); 

if($_POST['btnSubmit'] == 'Publish'){
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(y) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 1");

    header("Location: /cms/matchreports/index.php?message=4");  
    exit;

} else {

$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];    
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Publishing 2");

    header("Location: /cms/matchreports/index.php?message=5");  
    exit;}}

if($_POST['btnSubmit'] == 'Save draft'){
    $target = "../../../images/matchreports/uploaded/";
    $target = $target . time() . '-' . basename( $_FILES['image']['name']);
    if(move_uploaded_file($_FILES['image']['tmp_name'], $target)){
    $image=time() . '-' . basename( $_FILES['image']['name']);      
    $newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,image,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$image','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Saving Draft 1");

    header("Location: /cms/matchreports/index.php?message=6");  
    exit;

} else {

$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];    
$SQL = "INSERT INTO " . $match_reports_table . " (Title,ShortTitle,Story,FrontPage,active,date,user_ip) VALUES('" . addslashes($_REQUEST['Title']) . "','" . addslashes($_REQUEST['ShortTitle']) . "','" . addslashes($_REQUEST['Story']) . "','" . addslashes($_REQUEST['FrontPage']) . "','" . addslashes(n) . "','$newdate','" . addslashes($_SERVER['REMOTE_ADDR']) . "')";
    $result = @mysql_query($SQL) or die("Error Saving Draft 2");

    header("Location: /cms/matchreports/index.php?message=7");  
    exit;}}

if($_POST['btnSubmit'] == 'Publish changes'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=8");
exit;}

if($_POST['btnSubmit'] == 'Publish draft to website'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . y . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=9");
exit;}

if($_POST['btnSubmit'] == 'Save changes to draft'){
//This gets all the other information from the form
$newdate = $_POST['date_y'].''.$_POST['date_m'].''.$_POST['date_d'];
$SQL = "UPDATE " . $match_reports_table . " SET Title='" . addslashes($_REQUEST            ['Title']) . "',ShortTitle='" . addslashes($_REQUEST['ShortTitle']) . "',Story='" . addslashes($_REQUEST['Story']) . "',Category='" . addslashes($_REQUEST['Category']) . "',FrontPage='" . addslashes($_REQUEST['FrontPage']) . "',active = '" . n . "',date='$newdate' WHERE ID=" . $_REQUEST['ID'] . "";
$result = @mysql_query($SQL) or die("Error Updating News"); 

header("Location: /cms/matchreports/index.php?message=10");
exit;}

}?>
Run Code Online (Sandbox Code Playgroud)

Rij*_*ijk 6

使用PDO和准备好的声明.

  • @col.弹片 - 是的,而称为PDO的"工具"非常棒.如果你在使用PDO时得到"吨"的代码,你应该考虑一下你的问题,而不是"工具"本身.糟糕的编码器,可以使用任何"工具"编写丑陋的代码.但即使你是那种编码器,我想最好用PDO编写一个丑陋但安全的代码而不是使用OLD mysql库的丑陋且不安全的代码,这个代码自PHP 4.1以来就没有更新过,因为所有的工作都集中在PDO/mysqli扩展上. (2认同)

归档时间:

查看次数:

651 次

最近记录:

14 年,2 月 前
如何在PHP中阻止SQL注入? 2776
如何在PHP中阻止SQL注入? 2776
在PHP中,当我向数据库提交字符串时,我应该使用htmlspecialchars()处理非法字符还是使用正则表达式? 19
在PHP中,当我向数据库提交字符串时,我应该使用htmlspecialchars()处理非法字符还是使用正则表达式? 19
更多相关链接
相关归档
ORDER BY日期和时间BEFORE在mysql中的GROUP BY名称 54
使用PHP将2-3个透明的PNG图像相互叠加 25
用于PHP的微框架(如Flask或Sinatra) 23
PHP strtotime和JavaScript Date.parse返回不同​​的时间戳 19
从不可见的表单注册输入 17
Jboss 7 - 自动从辅助数据库切换回主数据库 12
检索Google表单回复者的电子邮件地址,而不在表单中询问他们的电子邮件地址 10
Chrome开发者工具不捕获网络标签中的表单提交,为什么? 7
如何在提交前更改隐藏输入字段的值 5
为什么 php 标签在 html 文件中不起作用? 4
难疑归档
如何在Java中读取/转换InputStream为String? 3864
使用Java创建内存泄漏 3076
如何更改一个特定提交的提交作者? 1949
CSS三角形如何工作? 1791
什么是移动语义? 1614
使用jQuery将表单数据转换为JavaScript对象 1580
如何强制使用favicon刷新? 1499
如何在Python中通过索引从列表中删除元素? 1381
如何在python字符串中打印文字大括号字符并在其上使用.format? 1320
performSelector可能导致泄漏,因为其选择器未知 1251