Php 如何从MySQL注入中保证插入的安全性?
我是PHP和数据库编程新手,一直在尝试将表单中的数据添加到MySQL数据库中。它工作正常,但这对我的MySQL注入开放吗?我已经阅读了大量的教程,我认为PDO准备好了声明。例如,如何为我的评论字段执行此操作?此字段(它是一个文本字段)将对用户想要放置的任何内容相当开放。我怎样才能写这篇文章以使它更安全Php 如何从MySQL注入中保证插入的安全性?,php,mysql,sql-injection,Php,Mysql,Sql Injection,我是PHP和数据库编程新手,一直在尝试将表单中的数据添加到MySQL数据库中。它工作正常,但这对我的MySQL注入开放吗?我已经阅读了大量的教程,我认为PDO准备好了声明。例如,如何为我的评论字段执行此操作?此字段(它是一个文本字段)将对用户想要放置的任何内容相当开放。我怎样才能写这篇文章以使它更安全 <?php ob_start(); $username = 'name'; $password = 'pass'; $host = 'localhost'; $dbname = 'ma
<?php
ob_start();
$username = 'name';
$password = 'pass';
$host = 'localhost';
$dbname = 'map';
try {
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO Incidents (
protocol,
jurisdiction,
date,
time,
comments,
video,
lat,
lng
)
VALUES (
'".$_POST["protocol"]."',
'".$_POST["jurisdiction"]."',
'".$_POST["date"]."',
'".$_POST["time"]."',
'".$_POST["comments"]."',
'".$_POST["video"]."',
'".$_POST["lat"]."',
'".$_POST["lng"]."'
)
";
// use exec() because no results are returned
$dbh->exec($sql);
header("Location: map1.php");
}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}
$dbh = null;
ob_end_flush();
?>
您已经使用了PDO,这非常好
但是,您还应该使用准备好的语句,这些语句应该是SQL注入证明。有关详细信息,请查看此链接:
插入文档中的示例:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
您已经使用了PDO,这非常好
但是,您还应该使用准备好的语句,这些语句应该是SQL注入证明。有关详细信息,请查看此链接:
插入文档中的示例:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
您应该使用prepare语句
那么,这样做:
new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => $variable, ':colour' => $color ));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
newpdo(“mysql:host=$host;dbname=$dbname”,$username,$password);
$sql='选择名称、颜色和热量
从水果
其中卡路里<:卡路里和颜色=:颜色';
$sth=$dbh->prepare($sql,数组(PDO::ATTR_CURSOR=>PDO::CURSOR_FWDONLY));
$sth->execute(数组(':carries'=>$variable':color'=>$color));
$red=$sth->fetchAll();
$sth->execute(数组(':carries'=>175',:color'=>yellow');
$yellow=$sth->fetchAll();
该示例最初取自php.net
您可以在这里了解更多信息:您应该使用prepare语句
那么,这样做:
new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
$sql = 'SELECT name, colour, calories
FROM fruit
WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => $variable, ':colour' => $color ));
$red = $sth->fetchAll();
$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));
$yellow = $sth->fetchAll();
newpdo(“mysql:host=$host;dbname=$dbname”,$username,$password);
$sql='选择名称、颜色和热量
从水果
其中卡路里<:卡路里和颜色=:颜色';
$sth=$dbh->prepare($sql,数组(PDO::ATTR_CURSOR=>PDO::CURSOR_FWDONLY));
$sth->execute(数组(':carries'=>$variable':color'=>$color));
$red=$sth->fetchAll();
$sth->execute(数组(':carries'=>175',:color'=>yellow');
$yellow=$sth->fetchAll();
该示例最初取自php.net
您可以在此处阅读更多关于它的信息:
参考此
请参阅此PDO已经非常安全。现在,您可以使用bindParam()
来提高安全性,如:
<?php
ob_start();
$username = 'name';
$password = 'pass';
$host = 'localhost';
$dbname = 'map';
try {
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO Incidents SET protocol = ?, jurisdiction = ?, date = ?, time = ?, comments = ?, video = ?, lat = ?, lng = ? ";
$smt->$dbh->prepare($sql);
$smt->bindParam(1, $_POST["protocol"]);
$smt->bindParam(2, $_POST["jurisdiction"]);
$smt->bindParam(3, $_POST["date"]);
$smt->bindParam(4, $_POST["time"]);
$smt->bindParam(5, $_POST["comments"]);
$smt->bindParam(6, $_POST["video"]);
$smt->bindParam(7, $_POST["lat"]);
$smt->bindParam(8, $_POST["lng"]);
// use exec() because no results are returned
$smt->execute();
if($smt->rowCount()) { // if insertion success
header("Location: map1.php");
}
}
catch(PDOException $e) {
echo $sql . "<br>" . $e->getMessage();
}
$dbh = null;
ob_end_flush();
?>
PDO已经非常安全了。现在,您可以使用bindParam()
来提高安全性,如:
<?php
ob_start();
$username = 'name';
$password = 'pass';
$host = 'localhost';
$dbname = 'map';
try {
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO Incidents SET protocol = ?, jurisdiction = ?, date = ?, time = ?, comments = ?, video = ?, lat = ?, lng = ? ";
$smt->$dbh->prepare($sql);
$smt->bindParam(1, $_POST["protocol"]);
$smt->bindParam(2, $_POST["jurisdiction"]);
$smt->bindParam(3, $_POST["date"]);
$smt->bindParam(4, $_POST["time"]);
$smt->bindParam(5, $_POST["comments"]);
$smt->bindParam(6, $_POST["video"]);
$smt->bindParam(7, $_POST["lat"]);
$smt->bindParam(8, $_POST["lng"]);
// use exec() because no results are returned
$smt->execute();
if($smt->rowCount()) { // if insertion success
header("Location: map1.php");
}
}
catch(PDOException $e) {
echo $sql . "<br>" . $e->getMessage();
}
$dbh = null;
ob_end_flush();
?>
refered this:refered this:为什么要转义特殊字符?为什么要转义特殊字符?如果没有正确执行,PDO不会比mysql或mysqli API更安全。PDO与mysqli相比非常容易学习和实现,只需打开并通过@cosmin的链接即可。学习曲线非常主观。有些人对过程式代码和旧的mysql_*函数更为熟悉,因此切换到mysqli而不是PDO可能会更容易一些,PDO并不比mysql或mysqli API更安全。与mysqli相比,PDO非常容易学习和实现,只是打开并通过@cosmin的链接。学习曲线非常主观。有些人对过程式代码和旧的mysql_*函数更为熟悉,因此切换到mysqli而不是PDO可能会更容易一些。