1. 首頁
  2. 問答
  3. PHP/MySQL注入預防

PHP/MySQL注入預防

2013-02-26 56 views
-1

想知道是否有人可以幫助我增加對我的PHP編碼的保護,這是非常基本的,並需要一些防禦。PHP/MySQL注入預防

我希望我已經提供了足夠的細節,以幫助我需要幫助,非常感謝!

<?php 
    //This is only displayed if they have submitted the form 

    if ($searching =="yes") { 
     echo "<h2>Results</h2><p>"; 
     //If they did not enter a search term we give them an error 

     if ($find == "") 
     if ($f == "") 
     if ($info == "") 
     if ($zip == "") 
     if ($state == "") 
     if ($email == "") 
     if ($address == "") 
     { 
      echo "<p>You forgot to enter a search term"; 
      exit; 
     } 

     // Otherwise we connect to our Database 
     mysql_connect("xx.xx.xx", "xxxx", "xxxxx") or die(mysql_error()); 
     mysql_select_db("xxxxx") or die(mysql_error()); 
     // We preform a bit of filtering 
     $find = strtoupper($find); 
     $find = strip_tags($find); 
     $find = trim ($find); 
     $f = strtoupper($f); 
     $f = strip_tags($f); 
     $f = trim ($f); 
     $info = strtoupper($info); 
     $info = strip_tags($info); 
     $info = trim ($info); 
     $zip = strtoupper($zip); 
     $zip = strip_tags($zip); 
     $zip = trim ($zip); 

     $state = strtoupper($state); 
     $state = strip_tags($state); 
     $state = trim ($state); 

     $email = strtoupper($email); 
     $email = strip_tags($email); 
     $email = trim ($email); 

     $address = strtoupper($address); 
     $address = strip_tags($address); 
     $address = trim ($address); 
     //Now we search for our search term, in the field the user specified 
$data = mysql_query("SELECT * FROM users WHERE fname 
LIKE '%" . mysql_real_escape_string($find)  . "%' AND lname 
LIKE '%" . mysql_real_escape_string($f)   . "%' AND info 
LIKE '%" . mysql_real_escape_string($info)  . "%' AND zip 
LIKE '%" . mysql_real_escape_string($zip)  . "%' AND state 
LIKE '%" . mysql_real_escape_string($state)  . "%' AND email 
LIKE '%" . mysql_real_escape_string($email)  . "%' AND address 
LIKE '%" . mysql_real_escape_string($address) . "%'"); 
//And we display the results 
while($result = mysql_fetch_array($data)) 
{ 
echo $result['fname']; 
echo "<br>"; 
echo $result['lname']; 
echo "<br>"; 
echo $result['info']; 
echo "<br>"; 
echo $result['zip']; 
echo "<br>"; 
echo $result['state']; 
echo "<br>"; 
echo $result['email']; 
echo "<br>"; 
    echo $result['address']; 
echo "<br>"; 
} 
//This counts the number or results - and if there wasn't any it gives them a little message explaining that 
$anymatches=mysql_num_rows($data); 
if ($anymatches == 0) 
{ 
echo "Sorry, but we can not find an entry to match your query<br><br>"; 
} 
//And we remind them what they searched for 
echo "<b>Searched For: 
     </b> " .$find; 
} 
?>

來源

2013-02-26 Michael Toole

+0

爲mysql使用PDO或mysqli的預處理語句是更安全! – Perry 2013-02-26 12:41:13

+0

http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php/12817590#12817590 – 2013-02-26 12:41:45

+0

忘掉mysql,使用PDO或mysqli,準備好的語句也會幫助你。 – 2013-02-26 12:41:52

回答

-2

剛剛擺脫// We preform a bit of filtering塊。
其餘的都很好。

但是,您的查詢幾乎找不到任何東西。
是否打算查找包含所有輸入值的單行?
我有你的意思OR,不AND您的審覈規定

來源

2013-02-26 12:43:09

-1

不要再使用MySQL的函數的感覺,他們已被棄用。

改爲使用mysqli或pdo類。

更多細節,看看這個StackOverflow的發佈

How can I prevent SQL injection in PHP?

在那旁邊,你的代碼是非常難看。嘗試從視圖中分離你的logik。

來源

2013-02-26 12:47:09 c4pone

-1

另外在PHP中,您可以在插入數據庫之前清理數據。 檢查此代碼。

<?php 
$email = "[email protected]"; //Note the .com missing 
if(filter_var($email, FILTER_SANITIZE_EMAIL)){ 
    echo $email.'<br>'; 
    var_dump(filter_var($email, FILTER_SANITIZE_EMAIL)); 
}else{ 
    var_dump(filter_var($email, FILTER_SANITIZE_EMAIL));  
} 
?>

支持鏈接:php sanitize

來源

2013-02-26 12:47:29

-1 
<Paranoia> 

1. No using of old mysql functions (told already) 
2. intval() on zip-field 
3. regexp on others 

</Paranoia>

來源

2013-02-26 12:55:01

 相關問題

  • 暫無相關問題^_^