PHP MYSQL不安全錯誤的注塑

Question

<?php 
//create_cat.php 
include 'connect.php'; 
include 'header.php'; 
include 'parser.php'; 

$sql = "SELECT 
      topic_id, 
      topic_subject 
     FROM 
      topics 
     WHERE 
      topics.topic_id = " . mysql_real_escape_string($_GET['id']); 

$result = mysql_query($sql); 

if(!$result) 
{ 
    echo 'The topic could not be displayed, please try again later.'; 
} 
else 
//check for sign in status 
    if(!$_SESSION['signed_in']) 
    { 
     echo 'You must be signed in!'; 
     header('Location:signin.php') ; 
    } 

else 
{ 
    if(mysql_num_rows($result) == 0) 
    { 
     echo 'This topic doesn&prime;t exist.'; 
    } 
    else 
    { 
     while($row = mysql_fetch_assoc($result)) 
     { 
      //display post data 
      echo '<table class="topic" border="1"> 
        <tr> 
         <th colspan="2">' . $row['topic_subject'] . '</th> 
        </tr>'; 

      //fetch the posts from the database 
      $posts_sql = "SELECT 
         posts.post_topic, 
         posts.post_content, 
         posts.post_date, 
         posts.post_by, 
         users.user_id, 
         users.user_name 
        FROM 
         posts 
        LEFT JOIN users ON posts.post_by = users.user_id 

        LEFT JOIN topics ON topics.topic_by = users.user_name 

        WHERE 
         posts.post_topic = " . mysql_real_escape_string($_GET['id']); 

      $posts_result = mysql_query($posts_sql); 

      if(!$posts_result) 
      { 
       echo '<tr><td>The posts could not be displayed, please try again later.</tr></td></table>'; 
      } 
      else 
      { 
      $parser = new parser; // start up Recruiting Parsers 


       while($posts_row = mysql_fetch_assoc($posts_result)) 

       { 

       // parsesBBCode 
       $parsed = $parser->p($posts_row['post_content']); 



        echo '<tr class="topic-post"> 
          <td class="user-post">' . $posts_row['user_name'] . '<br/>' . date('d-m-Y H:i', strtotime($posts_row['post_date'])) . '</td> 
          <td class="post-content">' . $parsed. '</td> 
          </tr>'; 
       } 
      } 

      if(!$_SESSION['signed_in']) 
      { 
       echo '<tr><td colspan=2>You must be <a href="signin.php">signed in</a> to reply. You can also <a href="signup.php">sign up</a> for an account.'; 
      } 
      else 
      { 
       //show reply box 
       echo '<tr><td colspan="2"><h2>Reply:</h2><br /> 
        <form method="post" action="reply.php?id=' . $row['topic_id'] . '"> 
         <textarea name="reply-content"></textarea><br /><br /> 
         <input type="submit" value="Submit reply" /> 
        </form></td></tr>'; 
      } 

      //finish the table 
      echo '</table>'; 
     } 
    } 
} 

include 'footer.php'; 
?> 

基於錯誤的SQL注入工作在我的代碼，我無法揣摩出我的錯誤是在我的意思是一切運作正常，但我的代碼是脆弱的肯定。我可以在此代碼中使用哪些更好的實踐來保護它。這是一個簡單的論壇腳本，我正致力於使用MySQL精簡php。

Answer 1

那麼，對於一個mysql_real_escape_string轉義你的字符串，但它沒有也報價它。您應該使用像這樣（一般情況下）：

$sql = sprintf('...blah blah... WHERE topics.topic_id = \'%s\'', 
       mysql_real_escape_string($_GET['id'])); 

在這種特定的情況下，你也可以使用intval（這是恕我直言更具描述性）和/或sprintf參數說明符切換到%d。

Answer 2

不用PHP的「mysql」庫，可以考慮使用PHP的「PDO」或「mysqli」庫。

退房這個職位一個很好的解釋和PDO建議：對於mysqli的 How can I prevent SQL injection in PHP?

檢查了這一點： http://devzone.zend.com/article/686