我想让这个页面安全,但我不知道我应该从哪里开始。因为我昨天注射了我treid mysql转义字符串,但我没有多少帮助。我对PDO一无所知,你能挂我吗?这是代码。
<?php
//category.php
require_once('startsession.php');
require_once('php/mysql_prisijungimas.php');
include 'connect.php';
//first select the category based on $_GET['cat_id']
$sql = "SELECT
cat_id,
cat_name,
cat_description
FROM
categories
WHERE
cat_id = " . mysql_real_escape_string($dbc, trim($_GET['id']));
$result = mysql_query($sql);
if(!$result)
{
echo 'The category could not be displayed, please try again later.' . mysql_error();
}
else
{
if(mysql_num_rows($result) == 0)
{
echo 'This category does not exist.';
}
else
{
//display category data
while($row = mysql_fetch_assoc($result))
{
echo '<h2>Topics in ′' . $row['cat_name'] . '′ category</h2><br />';
}
//do a query for the topics
$sql = "SELECT
topic_id,
topic_subject,
topic_date,
topic_cat
FROM
topics
WHERE
topic_cat = " . mysql_real_escape_string($dbc, trim($_GET['id']));
$result = mysql_query($sql);
if(!$result)
{
echo 'The topics could not be displayed, please try again later.';
}
else
{
if(mysql_num_rows($result) == 0)
{
echo 'There are no topics in this category yet.';
}
else
{
//prepare the table
echo '<table border="1">
<tr>
<th>Topic</th>
<th>Created at</th>
</tr>';
while($row = mysql_fetch_assoc($result))
{
echo '<tr>';
echo '<td class="leftpart">';
echo '<h3><a href="topic.php?id=' . $row['topic_id'] . '">' . $row['topic_subject'] . '</a><br /><h3>';
echo '</td>';
echo '<td class="rightpart">';
echo date('d-m-Y', strtotime($row['topic_date']));
echo '</td>';
echo '</tr>';
}
}
}
}
}
?>
答案 0 :(得分:1)
在你的情况下,用引号括起mysql_real_escape_string:
SELECT * FROM table WHERE ID = '".mysql_real_escape_String($_POST['ID'])."'
请注意额外的单引号。这将使其更安全,但最好使用准备好的语句。除了优先使用mysql_query上的预准备语句之外,从php 5.5.0开始,函数mysql_query()将被弃用。
stackoverflow还有另一个主题,它提出了“如何防止PHP Pdo中的SQL注入”的问题。您可能会找到一些示例和额外信息: How can I prevent SQL injection in PHP?