MySQL准备语句混乱

时间:2016-08-28 05:21:04

标签: php mysql sql prepared-statement sql-injection

好的,所以我在Prepared语句中遇到了很多麻烦。我做了几个小时的研究,似乎仍然无法完全理解一切......

我真的觉得我需要了解Prepared语句,因为我正准备在我的网站上发布一些新的免费API(需要API Key来执行API)但我最近意识到一切都不安全....我可以简单地使用SQL注入来绕过API密钥检查,例如'OR'1'='1

以下是我验证API密钥的方法:

$apikey = $_GET['key'];
$sql = "SELECT * FROM `table` WHERE `key` = '$apikey'";
$query = mysqli_query($con, $sql);
if($query)
{
    $fetchrow = mysqli_fetch_row($query);
    if(isset($fetchrow[0]))
    {
        echo "API Key is valid!";
    }
    else
    {
        echo "API KEY is invalid";
    }
}

如上所述,通过执行我的API

可以轻松绕过这个问题 
http://website.com/api.php?key='OR'1'='1

一开始我真的很害怕,但后来我做了一些研究,并且学会了一种防止任何形式的SQL注入的好方法是使用预备语句,所以我做了很多研究,这对我来说似乎很复杂: /

所以我想我的问题是,如何使用上面的代码,并使用预处理语句使其功能相同?

2 个答案:

答案 0 :(得分:3)

可能你需要的一切:

class Database {
    private static $mysqli;

连接到数据库: 

public static function connect(){
    if (isset(self::$mysqli)){
        return self::$mysqli;
    }
    self::$mysqli = new mysqli("DB_HOST", "DB_USER", "DB_PASS", "DB_NAME");
    if (mysqli_connect_errno()) {
        /*Log error here, return 500 code (db connection error) or something... Details in $mysqli->error*/
    }
    self::$mysqli->query("SET NAMES utf8");
    return self::$mysqli;
}

执行声明并获得结果: 

public static function execute($stmt){
    $stmt->execute();
    if ($mysqli->error) {
        /*Log it or throw 500 code (sql error)*/
    }
    return self::getResults($stmt);
}

将结果绑定到纯数组: 

private static function getResults($stmt){
    $stmt->store_result();
    $meta = $stmt->result_metadata();

    if (is_object($meta)){
        $variables = array();
        $data = array();

        while($field = $meta->fetch_field()) {
            $variables[] = &$data[$field->name];
        }

        call_user_func_array(array($stmt, "bind_result"), $variables);

        $i = 0;
        while($stmt->fetch()) {
            $array[$i] = array();
            foreach($data as $k=>$v)
            $array[$i][$k] = $v;
            $i++;
        }
        $stmt->close();
        return $array;
    } else {
        return $meta;
    }
}

课程结束:) 

}

使用示例: 

public function getSomething($something, $somethingOther){
    $mysqli = Database::connect();
    $stmt = $mysqli->prepare("SELECT * FROM table WHERE something = ? AND somethingOther = ?");
    $stmt->bind_param("si", $something, $somethingOther); // s means string, i means number
    $resultsArray = Database::execute($stmt);
    $someData = $resultsArray[0]["someColumn"];
}

解决您的问题: 

public function isKeyValid($key){
    $mysqli = Database::connect();
    $stmt = $mysqli->prepare("SELECT * FROM table WHERE key = ? LIMIT 1");
    $stmt->bind_param("s", $key);
    $results = Database::execute($stmt);
    return count($results > 0);
}

PHP自动关闭数据库连接,所以不用担心它。

答案 1 :(得分:1)

$sql = "SELECT * FROM `table` WHERE `key` = ?";

if(stmt = $mysqli->prepare($sql)) {
    $stmt->bind_param("i", $apikey);

    $stmt->execute();
    $stmt->bind_result($res);
    $stmt->fetch();

    $stmt->close();
}

了解详情 - http://php.net/manual/en/mysqli.prepare.php

相关问题
最新问题