Php 使用预处理语句的SQL注入
我正在对特定页面中的SQL注入进行安全保护 我正在使用mysqli进行数据库连接,并使用准备好的语句 问题:PHP问题 解决方案:拥有工作/显示数据Php 使用预处理语句的SQL注入,php,mysql,mysqli,prepared-statement,sql-injection,Php,Mysql,Mysqli,Prepared Statement,Sql Injection,我正在对特定页面中的SQL注入进行安全保护 我正在使用mysqli进行数据库连接,并使用准备好的语句 问题:PHP问题 解决方案:拥有工作/显示数据 <p class="results-count">Records with the text: <b><?php echo $category = $_GET['target']; ?></b> and category: <b><?php echo $category = $_GE
<p class="results-count">Records with the text: <b><?php echo $category = $_GET['target']; ?></b> and category: <b><?php echo $category = $_GET['category']; ?></b><span class="search-query"></span></p>
带有文本和类别的记录:
$target = $_GET['target'];
$company = $_GET['company'];
$category = $_GET['category'];
// Make the query:
$sql = "select *
from companies where ((Company_Name) LIKE ('%$target%') OR (Company_Subcategory) LIKE ('%$target%') OR (Keywords) LIKE ('%$target%') OR (Description) LIKE ('%$target%')) AND Company_Category = '$category' AND Featured = 'Y' order by Date_Created DESC";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// output data of each row
while ($row = mysqli_fetch_assoc($result)) {
$company=$row['companyID'];
$name=$row['Company_Name'];
$image = $row['Company_Logo'];
$myArray = json_decode($image, true);
echo '<div class="item prem-biz-list featured-biz col-md-9 col-xs-9">
<div class="thumbnail">
<div class="place-img-list col-md-5 col-sm-5">
<img class="group list-group-image img-responsive" src="'.$myImage = $myArray[0]['name'].'" alt="" />
</div>
<div class="caption col-md-7 col-sm-7">
<div class=" row title-row">
<p class="featured-text caps">Featured</p>
</div>
<div class="biz-info-caption">
<h2 class="group inner place-title-list">'.$row['Company_Name'].'</h2>
<a href="tel:575-522-5690" class="phone-num">'.$row['Telephone_Number'].'</a>
<p class="address-list">'.$row['Address'].'</p>
<p class="group inner place-description">'.$row['Description'].'</p>
<p><a class="more-info-list" href="mini-about.php?company='.$company.'">More Information</a></p>
<p class="caps biz-cat-list">Category: <span class="biz-cat-name-list caps">'.$row['Company_Category'].'</span></p>
<p class="caps biz-subcat-list">Subcategory: <span class="biz-subcat-name-list caps">'.$row['Company_Subcategory'].'</span></p>
</div>
</div>
</div>
</div>'; }}
<?php
// 1. Connect
$mysqli = new mysqli("localhost", "username", "password", "database");
if($mysqli->connect_errno) {
die("Connect failed: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error);
}
// 2. Prepare
$sql = "select *
from companies where (Company_Name) LIKE (?) OR (Company_Subcategory) LIKE (?) OR (Keywords) LIKE (?) OR (Description) LIKE (?) AND Company_Category = ? AND Featured = 'Y' order by Date_Created DESC";
$stmt = $mysqli->prepare($sql);
if(!$stmt) {
die("Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error);
}
//Variables
$target = $_GET['target'];
$company = $_GET['company'];
$category = $_GET['category'];
// 3. Bind params
// s = string
// i = integer
// d = double (float)
// b = blob (binary data)
$bind_result = $stmt->bind_param("sssss", '%$target%', '%$target%', '%$target%', '%$target%', '$category');
if(!$bind_result) {
echo "Binding failed: (" . $stmt->errno . ") " . $stmt->error;
}
// 4. Execute
$execute_result = $stmt->execute();
if(!$execute_result) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
// $stmt->store_result();
// 5. Bind selected columns to variables
$stmt->bind_result($id, $username);
// 6. Use results
$row = $stmt->fetch();
while($row) {
$company=$row['companyID'];
$name=$row['Company_Name'];
$image = $row['Company_Logo'];
$myArray = json_decode($image, true);
echo '<div class="item prem-biz-list featured-biz col-md-9 col-xs-9">
<div class="thumbnail">
<div class="place-img-list col-md-5 col-sm-5">
<img class="group list-group-image img-responsive" src="'.$myImage = $myArray[0]['name'].'" alt="" />
</div>
<div class="caption col-md-7 col-sm-7">
<div class=" row title-row">
<p class="featured-text caps">Featured</p>
</div>
<div class="biz-info-caption">
<h2 class="group inner place-title-list">'.$row['Company_Name'].'</h2>
<a href="tel:575-522-5690" class="phone-num">'.$row['Telephone_Number'].'</a>
<p class="address-list">'.$row['Address'].'</p>
<p class="group inner place-description">'.$row['Description'].'</p>
<p><a class="more-info-list" href="mini-about.php?company='.$company.'">More Information</a></p>
<p class="caps biz-cat-list">Category: <span class="biz-cat-name-list caps">'.$row['Company_Category'].'</span></p>
<p class="caps biz-subcat-list">Subcategory: <span class="biz-subcat-name-list caps">'.$row['Company_Subcategory'].'</span></p>
</div>
</div>
</div>
</div>'; }
// 7. Free results
$stmt->free_result();
// 8. Close statment
$stmt->close();
// 9. Close MySQL connection
$mysqli->close();
$target=$\u GET['target'];
$company=$_GET['company'];
$category=$_GET['category'];
//进行查询:
$sql=“选择*
来自以下公司:((公司名称)如(“%$target%”)或(公司子类别)如(“%$target%”)或(关键词)如(“%$target%”)或(说明)如(“%$target%”)和公司类别=“%$Category”和特色=“Y”按日期排序;
$result=mysqli\u查询($conn,$sql);
如果(mysqli_num_行($result)>0){
//每行的输出数据
while($row=mysqli\u fetch\u assoc($result)){
$company=$row['companyID'];
$name=$row['Company_name'];
$image=$row['Company_Logo'];
$myArray=json_decode($image,true);
回声'
精选
“.$row[“公司名称”]。”
。$row['address']
。$row['description']
类别:'.$row['Company\u Category'.'.
子类别:'.$row['Company\u子类别'.'
'; }}
$target = $_GET['target'];
$company = $_GET['company'];
$category = $_GET['category'];
// Make the query:
$sql = "select *
from companies where ((Company_Name) LIKE ('%$target%') OR (Company_Subcategory) LIKE ('%$target%') OR (Keywords) LIKE ('%$target%') OR (Description) LIKE ('%$target%')) AND Company_Category = '$category' AND Featured = 'Y' order by Date_Created DESC";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// output data of each row
while ($row = mysqli_fetch_assoc($result)) {
$company=$row['companyID'];
$name=$row['Company_Name'];
$image = $row['Company_Logo'];
$myArray = json_decode($image, true);
echo '<div class="item prem-biz-list featured-biz col-md-9 col-xs-9">
<div class="thumbnail">
<div class="place-img-list col-md-5 col-sm-5">
<img class="group list-group-image img-responsive" src="'.$myImage = $myArray[0]['name'].'" alt="" />
</div>
<div class="caption col-md-7 col-sm-7">
<div class=" row title-row">
<p class="featured-text caps">Featured</p>
</div>
<div class="biz-info-caption">
<h2 class="group inner place-title-list">'.$row['Company_Name'].'</h2>
<a href="tel:575-522-5690" class="phone-num">'.$row['Telephone_Number'].'</a>
<p class="address-list">'.$row['Address'].'</p>
<p class="group inner place-description">'.$row['Description'].'</p>
<p><a class="more-info-list" href="mini-about.php?company='.$company.'">More Information</a></p>
<p class="caps biz-cat-list">Category: <span class="biz-cat-name-list caps">'.$row['Company_Category'].'</span></p>
<p class="caps biz-subcat-list">Subcategory: <span class="biz-subcat-name-list caps">'.$row['Company_Subcategory'].'</span></p>
</div>
</div>
</div>
</div>'; }}
<?php
// 1. Connect
$mysqli = new mysqli("localhost", "username", "password", "database");
if($mysqli->connect_errno) {
die("Connect failed: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error);
}
// 2. Prepare
$sql = "select *
from companies where (Company_Name) LIKE (?) OR (Company_Subcategory) LIKE (?) OR (Keywords) LIKE (?) OR (Description) LIKE (?) AND Company_Category = ? AND Featured = 'Y' order by Date_Created DESC";
$stmt = $mysqli->prepare($sql);
if(!$stmt) {
die("Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error);
}
//Variables
$target = $_GET['target'];
$company = $_GET['company'];
$category = $_GET['category'];
// 3. Bind params
// s = string
// i = integer
// d = double (float)
// b = blob (binary data)
$bind_result = $stmt->bind_param("sssss", '%$target%', '%$target%', '%$target%', '%$target%', '$category');
if(!$bind_result) {
echo "Binding failed: (" . $stmt->errno . ") " . $stmt->error;
}
// 4. Execute
$execute_result = $stmt->execute();
if(!$execute_result) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
// $stmt->store_result();
// 5. Bind selected columns to variables
$stmt->bind_result($id, $username);
// 6. Use results
$row = $stmt->fetch();
while($row) {
$company=$row['companyID'];
$name=$row['Company_Name'];
$image = $row['Company_Logo'];
$myArray = json_decode($image, true);
echo '<div class="item prem-biz-list featured-biz col-md-9 col-xs-9">
<div class="thumbnail">
<div class="place-img-list col-md-5 col-sm-5">
<img class="group list-group-image img-responsive" src="'.$myImage = $myArray[0]['name'].'" alt="" />
</div>
<div class="caption col-md-7 col-sm-7">
<div class=" row title-row">
<p class="featured-text caps">Featured</p>
</div>
<div class="biz-info-caption">
<h2 class="group inner place-title-list">'.$row['Company_Name'].'</h2>
<a href="tel:575-522-5690" class="phone-num">'.$row['Telephone_Number'].'</a>
<p class="address-list">'.$row['Address'].'</p>
<p class="group inner place-description">'.$row['Description'].'</p>
<p><a class="more-info-list" href="mini-about.php?company='.$company.'">More Information</a></p>
<p class="caps biz-cat-list">Category: <span class="biz-cat-name-list caps">'.$row['Company_Category'].'</span></p>
<p class="caps biz-subcat-list">Subcategory: <span class="biz-subcat-name-list caps">'.$row['Company_Subcategory'].'</span></p>
</div>
</div>
</div>
</div>'; }
// 7. Free results
$stmt->free_result();
// 8. Close statment
$stmt->close();
// 9. Close MySQL connection
$mysqli->close();
添加分号
$row = $stmt->fetch();
[附录。回答您的评论问题。]
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
echo '<h2>' . $row['Company_Name'] . '</h2>';
}
$result=$stmt->get_result();
而($row=$result->fetch_assoc()){
回显'.$row['Company_Name'].';
}
括号的用法很奇怪。您只需执行(公司名称类似?或公司子类别类似?或关键字类似?或描述类似?
)。它们不用于封装字符串、占位符和值。好的,很好,很高兴知道绑定中也存在不匹配。。。应该是“sssss”。这会再次加载页面,谢谢,捕获得很好,仍然没有显示任何数据,而在是之前,您应该在SQL语句中显式列出字段,而不要使用“*”。很难说绑定结果是否正确匹配。而($stmt->fetch()){…}
是fetch()的典型用法。每次获取后,您在bind_result语句中定义的变量都会填充您感兴趣的行变量。因此,在之前,我将$row
的结果作为关联数组获取,这样可以轻松地获取数据。这里怎么能这样?