Php 如何通过更新代码防止SQL注入
此代码易受SQL注入攻击。如何改进它以防止注射?我如何用注入测试这段代码? 这是我的代码:如果设置为$\u POST['name']{$name=$\u POST['name'];}Php 如何通过更新代码防止SQL注入,php,sql,Php,Sql,此代码易受SQL注入攻击。如何改进它以防止注射?我如何用注入测试这段代码? 这是我的代码:如果设置为$\u POST['name']{$name=$\u POST['name'];} if (isset ($_POST['name'])) { $name = $_POST['name']; } if (isset ($_POST['remarcs'])) { $remarcs = $_POST['remarcs']; } if (isset ($_POST['test_res']))
if (isset ($_POST['name'])) {
$name = $_POST['name'];
}
if (isset ($_POST['remarcs'])) {
$remarcs = $_POST['remarcs'];
}
if (isset ($_POST['test_res'])) {
$test_res = $_POST['test_res'];
}
if (isset ($_POST['address'])) {
$address = $_POST['address'];
}
if (isset ($_POST['date'])) {
$date = $_POST['date'];
}
if (isset ($_POST['phone_num'])) {
$phone = $_POST['phone_num'];
}
if (isset ($_POST['illness'])) {
$illness = $_POST['illness'];
}
if (isset ($_POST['echo'])) {
$echo = $_POST['echo'];
}
if (isset ($_POST['pe'])) {
$pe = $_POST['pe'];
}
if (isset ($_POST['pmhx'])) {
$pmhx = $_POST['pmhx'];
}
if (isset ($_POST['pshx'])) {
$pshx = $_POST['pshx'];
}
if (isset ($_POST['habbits'])) {
$habbits = $_POST['habbits'];
}
if (isset ($_POST['occup'])) {
$occup = $_POST['occup'];
}
if (isset ($_POST['allergy'])) {
$allergy = $_POST['allergy'];
}
//Check file is uploaded or not
//if (isset($_FILES['file']['name']) && $_FILES['file']['name']!='' && $_FILES['file']['error']=='') {
//$path2 = ... ;
//move_uploaded_file(...);
if(is_uploaded_file($_FILES["file"]["tmp_name"]))
{
$path = "../uploads/".$_FILES['file']['name'];
move_uploaded_file($_FILES["file"]["tmp_name"], $path);
$new_path = "./uploads/".$path;
}
else{
$new_path = $_POST['org_path'];
//$path2 = "../uploads/".$_FILES['echo_photo']['name'];
}
//move_uploaded_file($_FILES["file"]["tmp_name"], $path);
//$new_path = $path;
$sql="UPDATE $tbl_name SET
name = '$name',
echo_files = '$new_path',
remarcs = '$remarcs',
test_res = '$test_res',
date = '$date',
address = '$address',
phone_num = '$phone',
illness = '$illness',
echo = '$echo',
pmhx = '$pmhx',
pshx = '$pshx',
habbits = '$habbits',
occup = '$occup',
allergy = '$allergy',
pe = '$pe'
WHERE id = ".$id;
$result=mysqli_query($con,$sql) or die('Unable to execute query. '. mysqli_error($con));
1你可以使用
准备好的语句或参数化的语句用于安全高效地执行语句。例如:
2关于高级硬化技术,您可以参考我的建议。
使用正则表达式检查变量值
比如说
如果字段需要整数,请检查它是否为整数
如果它是字符串,请检查它是否只是字母数字
如果你上传文件到你的服务器,不要给它执行权限
检查值的长度
使用addslashes转义单引号
使用mysqli\u real\u escape\u字符串
使用mysqli准备的语句
使用htmlentities
总的来说,允许变量只包含您认为它应该包含的内容
等等
在所有这些事情之后,只有你应该考虑SQL查询中的变量。