此搜索脚本可以是SQL可注入的吗?

时间:2014-06-29 14:49:36

标签: php mysqli sql-injection

这个网站让我对SQL注入都很偏执 据我所知,这个搜索已经准备好了语句并且是MSQLI但仍然可以注入

感谢

<?php

$searchTerm = trim($_GET['keyname']);

if($searchTerm == "")
{
    echo "Enter name you are searching for.";
    exit();
}

$host = "localhost";
$db = "DB";
$user = "user";
$pwd = "pass";

$link = mysqli_connect($host, $user, $pwd, $db);

$query = "SELECT * FROM TABLE WHERE Name LIKE '%$searchTerm%'";

$results = mysqli_query($link, $query);


if(mysqli_num_rows($results) >= 1)
{
    $output = "";
    while($row = mysqli_fetch_array($results))
    {

echo "<td align='center' width='60'>" . "<a href=\"{$row['page']}\"><img src=\"{$row['img']}\">" ."</td>";
    }
    echo $output;
}
else
    echo "There was no matching record for the name " . $searchTerm;
?>

1 个答案:

答案 0 :(得分:0)

是。您还没有做任何事情来过滤$searchTerm变量,这意味着有人插入到URL中的任何代码都可以在SQL语句中执行。您可以使用mysqli_real_escape_string来转义变量。

$searchTerm = mysqli_real_escape_string($link, $_GET['keyname']);

请参阅http://www.w3schools.com/php/func_mysqli_real_escape_string.asp以供参考。

相关问题
最新问题