Question

首先，我的代码:(我正在使用PDO，因为我被告知它更安全）

<?php
    // Dan - PDO Connection and Insert
    $servername = "REMOVED";
    $username = "REMOVED";
    $password = "REMOVED";
    $dbname = "REMOVED";

    try {
        $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);

        // Set the PDO error mode to exception
        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

        $FirstName = trim(addslashes(htmlspecialchars($_POST['FirstName'])));
        $LastName = trim(addslashes(htmlspecialchars($_POST['LastName'])));
        $Company = trim(addslashes(htmlspecialchars($_POST['Company'])));
        $Email = trim(addslashes(htmlspecialchars($_POST['Email'])));
        $Telephone = trim(addslashes(htmlspecialchars($_POST['Telephone'])));
        $Subject = trim(addslashes(htmlspecialchars($_POST['Subject'])));
        $Message = trim(addslashes(htmlspecialchars($_POST['Message'])));

        $stmt = $conn->prepare("INSERT INTO contact_form (FirstName, LastName, Company, Email, Telephone, Subject, Message) 
        VALUES (:FirstName, :LastName, :Company, :Email, :Telephone, :Subject, :Message)");
        $stmt->bindParam(':FirstName', $FirstName);
        $stmt->bindParam(':LastName', $LastName);
        $stmt->bindParam(':Company', $Company);
        $stmt->bindParam(':Email', $Email);
        $stmt->bindParam(':Telephone', $Telephone);
        $stmt->bindParam(':Subject', $Subject);
        $stmt->bindParam(':Message', $Message);

        // Use exec() because no results are returned
        $stmt->execute();

        $to = "REMOVED";
        $subject = "Contact Us";
        $message = "First Name: ". $_POST['FirstName'] ."
        \nLast Name: ". $_POST['LastName'] ."
        \nCompany: ". $_POST['Company'] ."
        \nEmail Address: ". $_POST['Email'] ."
        \nTelephone: ". $_POST['Telephone'] ."
        \nSubject: ". $_POST['Subject'] ."
        \nComments: ". $_POST['Message'] ."";
        $headers = "From:" . $from;

        mail($to, $subject, $message, $headers);

        header('Location: thank-you.php');
    }

    catch(PDOException $e) {
        echo $sql . "<br>" . $e->getMessage();
    }

    $conn = null;
?>

此声明是否已经安全？我被告知将变量传递给查询直接是不好的做法，可以用于注入等方式吗？

如何使此查询安全/无需注入，或至少将风险降至最低。

Answer 1

BindValue的基本合成器如下：

首先输入目标（E.G.:FirstName）
输入变量（你不能输入明文，这里的变量是强制性的）;
可选 PARAM_STR和PARAM_INT是最常见的。为此，如果输入不是您输入的类型将取消查询
可选最大字符长度

所以这就是你的代码：

$sql = "INSERT INTO contact_form (FirstName, LastName, Company, Email, Telephone, Subject, Message) 
VALUES (:Firstname, :LastName, :Company, :Email, :Telephone, :Subject, :Message)";
$new_statement = $conn->prepare($sql); 
$new_statement->bindValue(':Firstname', $FirstName, PDO::PARAAM_STR, 100);
$new_statement->bindValue(':LastName', $LastName);
$new_statement->bindValue(':Company', $Company);
$new_statement->bindValue(':Email', $Email);
$new_statement->bindValue(':Telephone', $Telephone);
$new_statement->bindValue(':Subject', $Subject);
$new_statement->bindValue(':Message', $Message);
$new_statement->execute();

不要在btw周围搜索目标（你必须在查询中添加：目标而不是＆＃39;：target＆＃39;），这是自动处理的

如何改进我的安全INSERT语句

1 个答案: