Question

我正在使用MySQLi来防止对我网站的任何进一步攻击。我使用PHP 5.6.16，MySQL版本：5.7.9，并使用WAMP

我在搜索带有一些奇怪字符的用户时遇到以下错误，例如在搜索框中添加')字符。

MySQL错误＃1064和SQLi漏洞

如何清理文本框输入并防止搜索任何奇怪或无法识别的字符？

屏幕截图：

代码：

<?php
# Essential files, please don't erase it!
require_once("../functions.php");
require_once("../db-const.php");
session_start();
?>
<html>
<head>

    <script src="script.js" type="text/javascript"></script><!-- put it on user area pages -->
</head>
<body>
    <h1> View Profile </h1>
<hr />
<?php
if (logged_in() == false) {
echo "<script> window.alert(\"Please login first!\"); </script>";
    redirect_to("login.php");
} else {
    if (isset($_GET['username']) && $_GET['username'] != "") {
        $username = $_GET['username'];
    } else {
        $username = $_SESSION['username'];
    }

    ## connect mysql server
        $mysqli = new mysqli(localhost, root, "", loginsecure);
        # check connection
        if ($mysqli->connect_errno) {
            echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
            exit();
        }
    ## query database
        # fetch data from mysql database
        $sql = "SELECT * FROM users WHERE username ='".$username."' LIMIT 1";

        if ($result = $mysqli->query($sql)) {
            $user = $result->fetch_array();
        } else {
            echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
            exit();
        }

        if ($result->num_rows == 1) {
            # calculating online status
            if (time() - $user['status'] <= (5*200)) { // 300 seconds = 5 minutes timeout
                $status = "Yes";
            } else {
                $status = "No";
            }

            # echo the user profile data
            echo "<title> View Profile of: {$user['username']} </title>";
            echo " Account Searcher: <br>
            <form action=\"?username=\" method=\"get\">
            Unique ID: <input type=\"text\" name=\"username\" placeholder=\"Searching for user: {$_GET['username']}\">
            <input type=\"submit\" value=\"Search\">
            </form><hr>
            ";
            echo "Unique ID: {$user['id']}\n<br>Username: {$user['username']}\n<br>First Name: {$user['first_name']}\n<br>Last Name: {$user['last_name']}\n<br>Email: {$user['email']}\n<br>Online? $status\n<br>";
        } else { // If user doesn't exists - trigger this event
            echo " Account Searcher: <br>
            <form action=\"\" method=\"get\">
            Username: <input type=\"text\" name=\"username\" placeholder=\"User not found!\">
            <input type=\"submit\" value=\"Search\">
            </form><hr>
            ";
            echo "<title> User doesn't exists! | Prospekt </title> <p><b>Error:</b> User doesn't exist! Please register first!</p>";
        }
}

// showing the login & register or logout link
if (logged_in() == true) {
    echo '<a href="../logout.php">Log Out</a> | <a href="../home.php"> Go to Home </a>';
} else {
    echo '<a href="../login.php">Login</a> | <a href="register.php">Register</a>';
}
?>
<hr />
</body>
</html>

Answer 1

您正在将值直接发送到数据库查询中，然后再验证它们可能会导致危险。为了防止sql注入，内置的php函数如 mysqli_real_escape_string（）。据说，一个完整的更好的解决方案是使用 Php预备语句与PDO ..

在您的代码中：当您从get或post变量中获取用户的一些数据时，请执行此操作

<?php

$uname=$_GET['username'];
//now validate
$username=mysqli_real_escape_string($conn,htmlspecialchars($uname));
//Now username is somewhat protected.so now use it for sql queries.

?>

Answer 2

您的代码容易受到SQL注入攻击。最好的想法是使用预准备语句或pdo参数化查询。逃避弦乐并消毒它们。详细了解准备好的陈述：http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

PHP |搜索攻击的用户和漏洞

2 个答案: