您好我正在使用Bootstrap模板Metronic(HTML模板锅炉)开发一个网站。
人们说这段代码存在SQL注入风险。
你能告诉我代码部分在哪里坏了,我该如何解决?
<div class="container main">
<div class="main_pad">
<?php
if(isset($_GET['ID'])) {
$arrayResult = array();
$query = $dbConnect->query("
SELECT
designers.ID AS ID_designer,
designers.nome AS nome_designer,
designers.immagine AS immagine_designer,
designers.testo_IT AS testo_IT_designer,
designers.testo_EN AS testo_EN_designer,
designers.website AS website_designer,
designers.ID_linea AS ID_linea_designer
FROM
designers
WHERE
ID = '" . $_GET['ID'] . "'
");
$result = $dbConnect->extractObject($query);
if(count($result)>0) {
for($i=0;$i<count($result);$i++) {
$fileParts = pathinfo($result[$i]->immagine_designer);
$basename = substr($fileParts['filename'], 0, -4);
$arrayResult = array(
$result[$i]->ID_designer, // 0
utf8_encode($result[$i]->nome_designer), // 1
$basename . '_640.' . $fileParts['extension'], // 2
utf8_encode($result[$i]->testo_IT_designer), // 3
utf8_encode($result[$i]->testo_EN_designer), // 4
$result[$i]->website_designer, // 5
$result[$i]->ID_linea_designer // 6
);
}
}
?>
<div class="col-lg-6 designer">
<a href="designers.php"><img src="images/left-arrow.png"></a>
<h1><?php echo $arrayResult[1]; ?></h1>
<ul class="top-nav nav-tabs" id="specs" role="tablist">
<li class="active">
<a href="#bio"><?php echo $_SESSION['langPref']=='ENG' ? "BIO" : 'BIOGRAFIA'; ?></a>
</li>
<li>
<a href="#products"><?php echo $_SESSION['langPref']=='ENG' ? "PRODUCTS" : 'PRODOTTI'; ?></a>
</li>
</ul>
<div class="tab-content">
<div class="tab-pane active" id="bio">
<div class="row">
<div class="col-lg-12">
<p style="margin-top: 20px;">
<?php
switch($_SESSION['langPref']){
default :
case 'ENG' :
echo $arrayResult[4];
break;
case 'IT' :
echo $arrayResult[3];
break;
}
?>
</p>
</div>
</div>
</div>
<div class="tab-pane" id="products">
<div class="row">
<div class="col-lg-12">
<?php
$arrayLinesList = array();
foreach(explode(',', $arrayResult[6]) as $lines => $line) {
$arrayLinesList[] = '"' . $line . '",';
}
$query = $dbConnect->query("
SELECT
*
FROM
prodotti
WHERE
prodotti.ID_linea IN (" . substr(implode('', $arrayLinesList), 0, -1) . ")
");
$result = $dbConnect->extractObject($query);
if(count($result)>0) {
echo '<ul style="margin-top: 20px;">';
for($i=0;$i<count($result);$i++) {
$co = '';
if($result[$i]->ID == 58){
$co = '(Claudio Dondoli)';
}elseif($result[$i]->ID == 53 && $_GET['ID'] == 19 || $result[$i]->ID == 40 && $_GET['ID'] == 19 || $result[$i]->ID == 41 && $_GET['ID'] == 19 || $result[$i]->ID == 62 && $_GET['ID'] == 19 || $result[$i]->ID == 63 && $_GET['ID'] == 19) {
$co = '(with Gianfranco Gualtierotti)';
}elseif($result[$i]->ID == 53 && $_GET['ID'] == 7 || $result[$i]->ID == 40 && $_GET['ID'] == 7 || $result[$i]->ID == 41 && $_GET['ID'] == 7 || $result[$i]->ID == 62 && $_GET['ID'] == 7 || $result[$i]->ID == 63 && $_GET['ID'] == 7) {
$co = '(with Giancarlo Vegni)';
}elseif($result[$i]->ID == 26 && $_GET['ID'] == 10 || $result[$i]->ID == 27 && $_GET['ID'] == 10 || $result[$i]->ID == 28 && $_GET['ID'] == 10 || $result[$i]->ID == 29 && $_GET['ID'] == 10 || $result[$i]->ID == 61 && $_GET['ID'] == 10) {
$co = '(with Patricia Urquiola)';
}elseif($result[$i]->ID == 26 && $_GET['ID'] == 18 || $result[$i]->ID == 27 && $_GET['ID'] == 18 || $result[$i]->ID == 28 && $_GET['ID'] == 18 || $result[$i]->ID == 29 && $_GET['ID'] == 18 || $result[$i]->ID == 61 && $_GET['ID'] == 18) {
$co = '(with Sung Sook Kim)';
}
echo '<li><a href="product.php?ID=' . $result[$i]->ID . '">' . utf8_encode($arrayLines[$result[$i]->ID_linea][0]) .' '. $result[$i]->nome .'</a>  ' . ($co) .'</li>';
}
echo '</ul>';
} else {
echo '<p style="margin-top: 20px;">This designer has no products listed here!</p>';
}
?>
</div>
</div>
</div>
</div>
</div><!-- /.left_cont -->
<div class="col-lg-6 right_cont">
<img src="admin/assets/admin/layout/img/designers/<?php echo $arrayResult[2]; ?>" class="img-responsive" />
</div><!-- /.right_cont -->
<?php
}
?>
答案 0 :(得分:1)
可能注入
WHERE ID = '" . $_GET['ID'] . "'
例如$_GET['ID'] = "' or 1 = 1"
解决方案:使用参数化查询。
答案 1 :(得分:1)
一个问题(未读取所有代码)是直接从用户输入构建sql语句(例如获取或发布数据)
在您的代码中
WHERE ID = '" . $_GET['ID'] . "'
您应该使用准备好的陈述 - 阅读How can I prevent SQL injection in PHP?
答案 2 :(得分:0)
如果您使用PDO,请务必使用:
WHERE `id`=:id
然后使用like:
$stmnt = $dbConnect->prepare($sql);
$stmnt->execute(Array(":id"=>$_GET['id']));
如果你想保护免受更高级别搜索引起的魔术引用,那应该对你有所帮助;)