有关mysql注入的Jquery安全性

时间:2013-12-05 14:10:14

标签: php jquery security

我知道它可能非传统但我想知道下面的代码是否安全。

第一段代码是htee jquery对象创建以及对retrieve_data函数的调用:

var dataset = [
        {
            query_column: "articles.id,articles.category_id,articles.text,articles.slug article_slug,site_categories.title,site_categories.slug site_categories_slug",
            table_name: 'articles',
            query_join: 'LEFT JOIN site_categories ON site_categories.Id = ' + category,
            query_filter: ['articles.category_id LIKE ', '%' + category + '%'],
            query_limit: 'LIMIT ' + limit,
            unique_column_switch: '1'
        }
    ];
    retrieve_data(dataset, function (data) {

接下来是retrieve_data函数本身:

function retrieve_data(dataset, callback) {
    $.ajax(
        {
            type: "POST",
            url: "<?php echo ROOT_URL; ?>php/content/retrieve_data.php",
            data: {json: JSON.stringify(dataset)},
            success: function (data) {
                var data = $.parseJSON(data);
                callback(data);
            }
        });
}

最后,php检索数据并打印出来以返回jquery:

mb_internal_encoding("UTF-8");
session_start();
include '../../config.php';
include ROOT_DIR . "php/dbconnection/dbconnection.php";
include ROOT_DIR . 'php/authentication/encryption.php';
$encrypt_decrypt = new encryption();
$json = json_decode($_POST['json']);
$array = array();

/*
 * THIS IS TO BUILD A STRING OF DIFFERENT QUERIES TO BE PERFORMED UPON UPDATE BEING PRESSED
 * PARAMS:
 * data_value:::::::::::: THE VALUE USED TO FIND THE ROW
 * table_name:::::::::::: TABLE NAME
 * unique_column::::::::: UNIQUE DATA ELEMENT THAT LINKS ALL THE TABLES TOGETHER
 * query_end::::::::::::: END OF QUERY (EXTRA WHERE CLAUSES, ORDER BY, LIMIT, ETC)
 * query_column:::::::::: COLUMNS THAT ARE GOING TO BE CALLED, DEFAULTS TO * IF USING JOINS THEN      THIS MUST BE SPECIFIED I.E. TABLE1.*, TABLE2.*, ETC
 * query_join:::::::::::: SET ANY JOINS HERE
 * unique_column_switch:: IF SET TO 1 DISABLES USE OF A UNIQUE COLUMN AND USES QUERY END EXCLUSIVELY
 */
foreach($json as $item){
    $table_name = $mysqli->real_escape_string($item->table_name);
    $unique_column = $mysqli->real_escape_string($item->unique_column);
$data_value = $mysqli->real_escape_string($item->data_value);
$query_column = $mysqli->real_escape_string($item->query_column);
$query_join = $mysqli->real_escape_string($item->query_join);
$query_filter = $item->query_filter;
$query_order = $mysqli->real_escape_string($item->query_order);
$query_limit = $mysqli->real_escape_string($item->query_limit);
$unique_column_switch = $mysqli->real_escape_string($item->unique_column_switch);
$query_filter_safe = array();
foreach($query_filter as $key1 => $val1){
    array_push($query_filter_safe, ($key1 % 2) ? "'" . $mysqli->real_escape_string($val1) . "'" : $mysqli->real_escape_string($val1));
}
if(empty($unique_column) && $unique_column_switch != '1'){
    $query1 = $mysqli->query("SHOW KEYS FROM `$table_name` WHERE Key_name = 'PRIMARY'");
    $fetch1 = $query1->fetch_array(MYSQLI_ASSOC);
    $unique_set = $fetch1['Column_name'] . " = '" . $data_value . "'";
    $unique_column = $fetch1['Column_name'];
} else{
    $unique_set = ($unique_column_switch != '1') ? "`" . $table_name . "`.`" . $unique_column . "` = '" . $data_value . "'" : '';
}
$unique_column = (empty($unique_column)) ? '' : $unique_column;
$where = (empty($unique_set) && empty($query_filter)) ? '' : 'WHERE';
$select_items = (empty($query_column)) ? '*' : $query_column;
$query2 = "SELECT " . $select_items . " FROM " . $table_name . " " . $query_join . " " . $where . " " . $unique_set . " " . join(' ', $query_filter_safe) . " " . $query_order . " " . $query_limit;
//echo $query2;
$query2 = $mysqli->query($query2);
for($x = 0; $fetch2 = $query2->fetch_array(MYSQLI_ASSOC); $x++){
    $fetch2 = $encrypt_decrypt->decrypt_val($fetch2, $table_name, $mysqli);
    foreach($fetch2 as $column => $value){
        ($unique_column == $column) ? $array[$table_name][$x]['INDEX_VALUE'] = $value : $array[$table_name][$x][$column] = $value;
    }
}
}
echo json_encode($array);

编辑12/5美国东部时间中午12:00

我已经改写了我想要做的事情。再次感谢大家指点! @MonkeyZeus和@Carth非常有用。

include '../../config.php';
include ROOT_DIR . "php/dbconnection/dbconnection_pdo.php";
$query = "SELECT * FROM site_users WHERE username = :username";
$query = $pdo->prepare($query);
$query->execute(array('username' => $_POST['username']));
$result = $query->fetchAll(PDO::FETCH_ASSOC);
echo json_encode($result);

回到jquery:

function article_box_basic(category, limit, max_char_count, location) {
    $.ajax(
        {
            type: "POST",
            url: "<?php echo ROOT_URL; ?>php/content/article_box_basic.php",
            data: {username: 'moltmans'},
            success: function (data) {
                var data = $.parseJSON(data);

在这里做一些数据

1 个答案:

答案 0 :(得分:5)

这显然不是一种“安全”的方法。客户端的验证和控制应被视为产生请求的固有不安全的便利,而不是实施真正安全性的手段。您的服务器端代码应该在您的用户是谁以及他们正在做什么的上下文中验证请求参数。由于用户可以将“数据集”设置为他们想要的任何内容,因此如果类别变量本身倾向于根据其在语句的其余部分中的用法而注入,则无关紧要。

通过在客户端公开您的架构,您可以发现无需公开的有价值的信息。

相关问题
最新问题