使用预准备语句进行SQL注入

时间:2017-03-25 13:31:43

标签: php mysql mysqli prepared-statement sql-injection

我正在针对特定页面中的SQL注入做安全性。

我正在使用 mysqli 进行数据库连接,并使用 prepared-statements

问题: PHP问题

解决方案:拥有工作/显示数据

<p class="results-count">Records with the text: <b><?php echo $category = $_GET['target']; ?></b> and category: <b><?php echo $category = $_GET['category']; ?></b><span class="search-query"></span></p>

enter image description here

操作:调试

[之前]代码: 

$target = $_GET['target'];
$company = $_GET['company'];
$category = $_GET['category'];
// Make the query:
$sql = "select * 
from companies where ((Company_Name) LIKE ('%$target%') OR (Company_Subcategory) LIKE ('%$target%') OR (Keywords) LIKE ('%$target%') OR (Description) LIKE ('%$target%')) AND Company_Category = '$category' AND Featured = 'Y' order by Date_Created DESC";
$result = mysqli_query($conn, $sql);
if (mysqli_num_rows($result) > 0) {
// output data of each row
while ($row = mysqli_fetch_assoc($result)) {
$company=$row['companyID'];
$name=$row['Company_Name'];
$image = $row['Company_Logo'];
$myArray = json_decode($image, true);
echo '<div class="item prem-biz-list featured-biz col-md-9 col-xs-9">
<div class="thumbnail">
<div class="place-img-list col-md-5 col-sm-5">
<img class="group list-group-image img-responsive" src="'.$myImage = $myArray[0]['name'].'" alt="" />
</div>
<div class="caption col-md-7 col-sm-7">
<div class=" row title-row">
<p class="featured-text caps">Featured</p>
</div>
<div class="biz-info-caption">
<h2 class="group inner place-title-list">'.$row['Company_Name'].'</h2>
<a href="tel:575-522-5690" class="phone-num">'.$row['Telephone_Number'].'</a>
<p class="address-list">'.$row['Address'].'</p>
<p class="group inner place-description">'.$row['Description'].'</p>
<p><a class="more-info-list" href="mini-about.php?company='.$company.'">More Information</a></p>
<p class="caps biz-cat-list">Category: <span class="biz-cat-name-list caps">'.$row['Company_Category'].'</span></p>   
<p class="caps biz-subcat-list">Subcategory: <span class="biz-subcat-name-list caps">'.$row['Company_Subcategory'].'</span></p>
</div>
</div>
</div>
</div>';   }}

[现在]代码: 

<?php
// 1. Connect
$mysqli = new mysqli("localhost", "username", "password", "database");
if($mysqli->connect_errno) {
die("Connect failed: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error);
}       
// 2. Prepare
$sql = "select * 
from companies where (Company_Name) LIKE (?) OR (Company_Subcategory) LIKE (?) OR (Keywords) LIKE (?) OR (Description) LIKE (?) AND Company_Category = ? AND Featured = 'Y' order by Date_Created DESC";
$stmt = $mysqli->prepare($sql);
if(!$stmt) {
    die("Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error);
}
//Variables
$target = $_GET['target'];
$company = $_GET['company'];
$category = $_GET['category'];
// 3. Bind params
// s = string
// i = integer
// d = double (float)
// b = blob (binary data)
$bind_result = $stmt->bind_param("sssss", '%$target%', '%$target%', '%$target%', '%$target%', '$category');
if(!$bind_result) {
    echo "Binding failed: (" . $stmt->errno . ") " . $stmt->error;
}
// 4. Execute
$execute_result = $stmt->execute();
if(!$execute_result) {
    echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
// $stmt->store_result();
// 5. Bind selected columns to variables
$stmt->bind_result($id, $username);
// 6. Use results
$row = $stmt->fetch();
while($row) {
$company=$row['companyID'];
$name=$row['Company_Name'];
$image = $row['Company_Logo'];
$myArray = json_decode($image, true);
echo '<div class="item prem-biz-list featured-biz col-md-9 col-xs-9">
<div class="thumbnail">
<div class="place-img-list col-md-5 col-sm-5">
<img class="group list-group-image img-responsive" src="'.$myImage = $myArray[0]['name'].'" alt="" />
</div>
<div class="caption col-md-7 col-sm-7">
<div class=" row title-row">
<p class="featured-text caps">Featured</p>
</div>
<div class="biz-info-caption">
<h2 class="group inner place-title-list">'.$row['Company_Name'].'</h2>
<a href="tel:575-522-5690" class="phone-num">'.$row['Telephone_Number'].'</a>
<p class="address-list">'.$row['Address'].'</p>
<p class="group inner place-description">'.$row['Description'].'</p>
<p><a class="more-info-list" href="mini-about.php?company='.$company.'">More Information</a></p>
<p class="caps biz-cat-list">Category: <span class="biz-cat-name-list caps">'.$row['Company_Category'].'</span></p>   
<p class="caps biz-subcat-list">Subcategory: <span class="biz-subcat-name-list caps">'.$row['Company_Subcategory'].'</span></p>
</div>
</div>
</div>
</div>';   }
// 7. Free results
$stmt->free_result();
// 8. Close statment
$stmt->close();
// 9. Close MySQL connection
$mysqli->close();

如何解决这个问题?(为这段代码道歉,试图用最少量的代码解释最好的代码,你仍然可以理解上下文/来源。这都是评论,特别是在新的

1 个答案:

答案 0 :(得分:4)

添加分号。

$row = $stmt->fetch();

[附录。回答你的评论问题。 ] 

$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
    echo '<h2>' . $row['Company_Name'] . '</h2>';
}
相关问题
最新问题