我正在开发一个本地网站,其中包含使用Google地图界面列出的各种位置
我有从各个部分编写的maps.php,但我确信如果有人访问mysite.com/maps.php并构造恶意URL来上传shell,这个文件很容易出现SQL注入或攻击。
我读到了有关PDO语法及其实现的内容,但我不确定如何在此文件中实现它。
有人可以帮助或建议如何从SQL注入等保护此文件。
<?
header ('Content-type: text/html; charset=utf-8');
$Key = "MY GOOGLE MAPS API KEY";
include "../file.php";
$locx = $_GET['locx'];
if ($_GET['lng'] == 'Eng'){
$lng = 'Eng';
} else if($_GET['lng'] == 'Ger') {
$lng = 'Ger';
}
$getSite_sql = "
SELECT
siteId,
description,
latitude,
longitude
FROM tbSite
WHERE siteId = '".$_GET['siteId']."'
";
$getSite_que = sql_query($getSite_sql);
$siteLat = mysql_result($getSite_que, 0, "latitude");
$siteLong = mysql_result($getSite_que, 0, "longitude");
$wherelocx = "";
if ($locx){
$wherelocx = " AND typeId = '" . $locx . "'";
}
$getRoad_sql = "
SELECT
roadId,
siteName,
latitude,
longitude,
name".$lng." AS name,
address,
tel,
fax,
schedule".$lng." AS schedule
FROM tbSite
WHERE roadId = '".$_GET['roadId']."' $wherelocx
";
$getRoad_que = mysql_query($getRoad_sql);
$b=0;
while ($roadi = mysql_fetch_array($getRoads_que)){
$selectedRoad = $roadi['siteName'];
$roads[$b] = array($roadi['latitude'], $roadi['longitude'], $roadi['name']);
if ($roadi['roadId'] == $_GET['roadId']){
$currentRoadLat = $roadi['latitude'];
$currentRoadLong = $roadi['longitude'];
}
$b++;
}
?>