Warning: file_get_contents(/data/phpspider/zhask/data//catemap/7/arduino/2.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php 如何通过更新代码防止SQL注入_Php_Sql - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php 如何通过更新代码防止SQL注入

Php 如何通过更新代码防止SQL注入

php sql

Php 如何通过更新代码防止SQL注入,php,sql,Php,Sql,此代码易受SQL注入攻击。如何改进它以防止注射?我如何用注入测试这段代码? 这是我的代码:如果设置为$\u POST['name']{$name=$\u POST['name'];} if (isset ($_POST['name'])) { $name = $_POST['name']; } if (isset ($_POST['remarcs'])) { $remarcs = $_POST['remarcs']; } if (isset ($_POST['test_res']))

此代码易受SQL注入攻击。如何改进它以防止注射?我如何用注入测试这段代码? 这是我的代码:如果设置为$\u POST['name']{$name=$\u POST['name'];}

if (isset ($_POST['name'])) { 
$name = $_POST['name']; 
} 
if (isset ($_POST['remarcs'])) { 
$remarcs = $_POST['remarcs']; 
} 
if (isset ($_POST['test_res'])) { 
$test_res = $_POST['test_res']; 
} 
if (isset ($_POST['address'])) { 
$address = $_POST['address']; 
} 

if (isset ($_POST['date'])) { 
$date = $_POST['date']; 
} 

if (isset ($_POST['phone_num'])) { 
$phone = $_POST['phone_num']; 
}

if (isset ($_POST['illness'])) { 
$illness = $_POST['illness']; 
} 
if (isset ($_POST['echo'])) { 
$echo = $_POST['echo']; 
} 
if (isset ($_POST['pe'])) { 
$pe = $_POST['pe']; 
} 
if (isset ($_POST['pmhx'])) { 
$pmhx = $_POST['pmhx']; 
} 
if (isset ($_POST['pshx'])) { 
$pshx = $_POST['pshx']; 
} 
if (isset ($_POST['habbits'])) { 
$habbits = $_POST['habbits']; 
} 
if (isset ($_POST['occup'])) { 
$occup = $_POST['occup']; 
} 
if (isset ($_POST['allergy'])) { 
$allergy = $_POST['allergy']; 
} 

//Check file is uploaded or not 
//if (isset($_FILES['file']['name']) && $_FILES['file']['name']!='' && $_FILES['file']['error']=='') {
//$path2 = ... ; 
//move_uploaded_file(...);
if(is_uploaded_file($_FILES["file"]["tmp_name"]))
{
    $path = "../uploads/".$_FILES['file']['name'];
    move_uploaded_file($_FILES["file"]["tmp_name"], $path);
        $new_path = "./uploads/".$path;

}
else{
    $new_path = $_POST['org_path'];
//$path2 = "../uploads/".$_FILES['echo_photo']['name']; 
}
//move_uploaded_file($_FILES["file"]["tmp_name"], $path);
//$new_path = $path; 
$sql="UPDATE $tbl_name SET  
name = '$name', 
echo_files = '$new_path', 
remarcs = '$remarcs',
test_res = '$test_res', 
date = '$date', 
address = '$address', 
phone_num = '$phone',
illness = '$illness',
echo = '$echo', 
pmhx = '$pmhx', 
pshx = '$pshx', 
habbits = '$habbits', 
occup = '$occup', 
allergy = '$allergy',
pe = '$pe'
WHERE id = ".$id; 

$result=mysqli_query($con,$sql) or die('Unable to execute query. '. mysqli_error($con));
1你可以使用

准备好的语句或参数化的语句用于安全高效地执行语句。例如:

2关于高级硬化技术,您可以参考我的建议。 使用正则表达式检查变量值

比如说

如果字段需要整数,请检查它是否为整数

如果它是字符串,请检查它是否只是字母数字

如果你上传文件到你的服务器,不要给它执行权限

检查值的长度

使用addslashes转义单引号

使用mysqli\u real\u escape\u字符串

使用mysqli准备的语句 使用htmlentities

总的来说,允许变量只包含您认为它应该包含的内容

等等

在所有这些事情之后,只有你应该考虑SQL查询中的变量。