1. 首页
  2. 问答
  3. sql适当的语法

sql适当的语法

2015-08-08 73 views
1

做下面这段代码面临SQL注入问题?如果是的话,为什么和可以改变以防止它呢?sql适当的语法

$sql2 = "UPDATE Candidates SET ".$row['Field']."= '$_POST[$tempname]' WHERE ID='".$_GET["id"]."'"; 
       $result2 = mysqli_query($con,$sql2); 
       if ($con->query($sql2) === TRUE) { 
        if($_POST['Status']=="Employed"){ 
        $sql3 = "INSERT INTO Employees (AFNumber, CID, Status, Name, DateOfBirth,DateOfEmployment) 
VALUES ('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."','".$_POST['DoBasID']."', '".date('d/m/Y')."')"; 
        $result3 = mysqli_query($con,$sql3); 
        if ($con->query($sql3) === TRUE) { 
        }else { 
         echo "Error: " . $sql3 . "<br>" . $con->error;} 
         echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>'; 
        } 
       } else { 
        echo "Error: " . $sql2 . "<br>" . $con->error; 
        echo '<script>swal("Error", "Something went wrong '.$con->error.'", "error");</script>'; 
       }

来源

2015-08-08 dan

+0

只是一个提示 - 太使它更安全,你应该做的验证你正在插入的'values'。例如,确保你的ID只是一个数字。如果你需要使用正则表达式。 – James111

+1

是的。 PHP的mysqli_ API的优点是它允许准备好的语句,所以看看这些。 – Strawberry

回答

0 
$row['Field']  = "`{$row['Field']}`"; //its better to use ` around field names. there can be 'date', 'begin', 'column' or other reserved keywords http://dev.mysql.com/doc/refman/5.6/en/keywords.html 
$_POST[$tempname] = mysqli_real_escape_string($con, $_POST[$tempname]); //have no idea which data type your $row['Field']-column, so lets rely on escaping will be enough http://php.net/manual/en/mysqli.real-escape-string.php 
$_GET['id']   = (int)$_GET['id']; //i believe that your `id` is an integer, otherwise you should use mysqli_real_escape_string 

$sql2 = "UPDATE Candidates SET ".$row['Field']." = '{$_POST[$tempname]}' WHERE `ID` = '{$_GET['id']}'"; 
$result2 = mysqli_query($con, $sql2); 
if ($con->query($sql2) === TRUE) { 
    if($_POST['Status']=="Employed") { 
     $_POST['AFNumber'] = (int)$_POST['AFNumber']; //i believe that your `AFNumber` is an integer, otherwise you should use mysqli_real_escape_string 
     $_POST['ID'] = (int)$_POST['ID']; //i believe that your `CID` is an integer, otherwise you should use mysqli_real_escape_string 
     $_POST['FullNameEng'] = mysqli_real_escape_string($con, $_POST['FullNameEng']); 
     $_POST['DoBasID'] = mysqli_real_escape_string($con, $_POST['DoBasID']); //if DateOfBirth is not a string - u can use (int) instead 
     $sql3 = " 
      INSERT INTO Employees 
       (AFNumber, CID, Status, Name, DateOfBirth, DateOfEmployment) 
      VALUES 
       ('".$_POST['AFNumber']."', '".$_POST['ID']."', 'Employed', '".$_POST['FullNameEng']."', '".$_POST['DoBasID']."', '".date('d/m/Y')."') 
      "; 
//...

主要思想这里(也是最简单的,最小的)是:

1)如果数据类型是整数使用(INT)或INTVAL()对传入的值。

2)如果数据类型是整数unsonned使用abs()对传入的值。

3)othervise(对字符串)使用mysqli_real_escape_string

阅读关于转义序列https://dev.mysql.com/doc/refman/5.0/en/string-literals.html

对于未来的阅读预处理语句https://dev.mysql.com/doc/refman/5.0/en/sql-syntax-prepared-statements.html

来源

2015-08-08 08:35:24 M0rtiis

相关问题

 相关问题