如何防止SQL注入更改URL参数(DELETE语句)PHP

时间:2013-04-21 10:39:21

标签: php mysql sql-injection url-parameters

我有一个类似下面的代码,用于通过URL参数进行DELETE输入

<td><a href="deletecar.php?car_id=<?php echo $row_cars['car_id']; ?>" onclick=" if ( !confirm('Are you sure to DELETE?') ) return false; ">Delete</a></td>

这是URL参数输出

http://localhost/html/deletecar.php?car_id=17

但如果我将car_id = 17改为car_id = 23(在其他用户车列表中),则删除

我如何防止这种情况

deletecar.php如下所示

<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

if ((isset($_GET['car_id'])) && ($_GET['car_id'] != "") && (isset($_SESSION['MM_Username']))) {
  $deleteSQL = sprintf("DELETE FROM cars WHERE car_id=%s",
                       GetSQLValueString($_GET['car_id'], "int"));

  mysql_select_db($database_conn, $conn);
  $Result1 = mysql_query($deleteSQL, $conn) or die(mysql_error());

  $deleteGoTo = "myaccount.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}
?>

这是我在数据库中的表

INSERT INTO `car` (`car_id`, `c_id`, `c_brand`, `c_model`, `c_model_nd`, `c_model_year`, `c_color`, `c_capacity`, `c_owner`, `c_statu`, `c_show`) VALUES
(16, '34DA1593', 'Volkswagen', 'Volt', '313 CDI', 2006, 'Beyaz', '', 18, 'yakamozturizm', 'Boş', 0),
(17, '34BC5897', 'Mercedes', 'Sprinter', '313CDI', 2006, 'Gri', '', 14, 'PcRestorer', 'Boş', 0),
(18, '34DBC145', 'Volkswagen', 'Volt', '213 CDI', 2013, 'Beyaz', '', 16, 'PcRestorer', 'Boş', 0);

编辑...

我已经改变了我的代码

$colname_delete = "-1";
if (isset($_GET['car_id'])) {
  $colname_delete = $_GET['car_id'];
}
$owner_delete = "-1";
if (isset($_SESSION['MM_Username'])) {
  $owner_delete = $_SESSION['MM_Username'];
}

if ((isset($_GET['car_id'])) && ($_GET['car_id'] != "")) {
  $deleteSQL = sprintf("DELETE FROM minibusler  WHERE car_id = %s AND c_owner =%s", 

GetSQLValueString($colname_delete, "int"),
GetSQLValueString($owner_delete, "text"));

  mysql_select_db($database_conn, $conn);
  $Result1 = mysql_query($deleteSQL, $conn) or die(mysql_error());

  $deleteGoTo = "myaccount.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}

它看起来有效吗您认为这是安全的方法吗

感谢您的帮助

2 个答案:

答案 0 :(得分:1)

在删除car之前的任何情况下,都应该检查它是否属于当前用户。如果没有显示合适的消息。

答案 1 :(得分:0)

使其不那么臃肿

if (empty($_SESSION['MM_Username'])) {
  exit; // take appropriate action here
}
if (empty($_GET['car_id'])) {
  exit; // take appropriate action here
}

mysql_select_db($database_conn, $conn);
$sql = sprintf("DELETE FROM minibusler  WHERE car_id = %s AND c_owner =%s", 
                GetSQLValueString($_GET['car_id'], "int"),
                GetSQLValueString($_SESSION['MM_Username'], "text"));
mysql_query($sql, $conn) or trigger_error(mysql_error());

header("Location: myaccount.php");
exit;
相关问题
最新问题