Question

我是PHP和数据库编程的新手，并且一直在尝试将表单中的数据添加到MySQL数据库中。它工作正常，但这对我的MySQL注入是开放的吗？我已经阅读了大量的教程，并且我正在思考PDO准备好的语句。例如，我如何为我的评论字段执行此操作？该字段（它是一个文本字段）对于用户想要放置的内容是相当开放的。我怎么写这个以使它更安全？

<?php
ob_start();
$username = 'name'; 
$password = 'pass'; 
$host = 'localhost'; 
$dbname = 'map';



try {
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO Incidents (


        protocol,
        jurisdiction,
        date,
        time,
        comments,
        video,
        lat,
        lng



            )

        VALUES (


        '".$_POST["protocol"]."',
        '".$_POST["jurisdiction"]."',
        '".$_POST["date"]."',
        '".$_POST["time"]."',
        '".$_POST["comments"]."',
        '".$_POST["video"]."',
        '".$_POST["lat"]."',
        '".$_POST["lng"]."'


        )

        ";

// use exec() because no results are returned
$dbh->exec($sql);
header("Location: map1.php"); 

}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}

$dbh = null;




ob_end_flush();
?>

Answer 1

你已经使用过PDO了，这非常好。

但是，您还应该使用准备好的语句，这应该是SQL注入证明。请查看此链接以获取更多信息：http://php.net/manual/en/pdo.prepared-statements.php

doc：

中的插入示例

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

Answer 2

PDO 已经非常安全了。现在，您可以使用bindParam()来增强安全性，例如：

<?php
 ob_start();
 $username = 'name'; 
 $password = 'pass'; 
 $host = 'localhost'; 
 $dbname = 'map';

try {
 $dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
 // set the PDO error mode to exception
 $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

 $sql = "INSERT INTO Incidents SET protocol = ?, jurisdiction = ?, date = ?, time = ?, comments = ?, video = ?, lat = ?, lng = ? ";
 $smt->$dbh->prepare($sql);
 $smt->bindParam(1, $_POST["protocol"]);
 $smt->bindParam(2, $_POST["jurisdiction"]);
 $smt->bindParam(3, $_POST["date"]);
 $smt->bindParam(4, $_POST["time"]);
 $smt->bindParam(5, $_POST["comments"]);
 $smt->bindParam(6, $_POST["video"]);
 $smt->bindParam(7, $_POST["lat"]);
 $smt->bindParam(8, $_POST["lng"]);

 // use exec() because no results are returned
 $smt->execute();
 if($smt->rowCount()) { // if insertion success
   header("Location: map1.php"); 
 }

}
catch(PDOException $e) {
   echo $sql . "<br>" . $e->getMessage();
}

 $dbh = null;

 ob_end_flush();
?>

Answer 3

您应该使用prepare语句。

好吧，这样做：

new PDO("mysql:host=$host;dbname=$dbname", $username, $password);

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';

$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));

$sth->execute(array(':calories' => $variable, ':colour' => $color ));

$red = $sth->fetchAll();

$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));

$yellow = $sth->fetchAll();

示例最初取自php.net

您可以在此处详细了解：http://php.net/manual/en/pdo.prepare.php

Answer 4

1) Use PDO
2) Escape all the special characters
3) Use parameterized queries

参考此How can I prevent SQL injection in PHP?

如何通过MySQL注入确保此插入安全？

4 个答案: