我有此代码,我想知道我是否在正确清理我的代码(用户输入) 我正在为正在使用的系统练习安全编码 而且我想知道我是否以正确的方式做事。
如果有什么我可以改进的东西,以使事情更牢固,我非常想知道它们。
更新
总和读取后,我已经更改了与PDO的连接,如果我目前了解我不需要清理查询的话?
<?php
require_once 'app/helpers.php';
session_start();
$error = '';
if($_POST){
$itemtype = filter_input(INPUT_POST, 'itemtype', FILTER_SANITIZE_STRING);
$itemtype = trim($itemtype);
$display = filter_input(INPUT_POST, 'itemdisplay', FILTER_SANITIZE_STRING);
$display = trim($display);
$brand = filter_input(INPUT_POST, 'brand', FILTER_SANITIZE_STRING);
$brand = trim($brand);
$model = filter_input(INPUT_POST, 'model', FILTER_SANITIZE_STRING);
$model = trim($model);
$spec = filter_input(INPUT_POST, 'spec', FILTER_SANITIZE_STRING);
$spec = trim($spec);
$sn = filter_input(INPUT_POST, 'sn', FILTER_SANITIZE_STRING);
$sn = trim($sn);
$setname = filter_input(INPUT_POST, 'setname', FILTER_SANITIZE_STRING);
$setname = trim($setname);
$itemstat = filter_input(INPUT_POST, 'itemstat', FILTER_SANITIZE_STRING);
$itemstat = trim($itemstat);
if(empty($itemtype)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> תכניס את הפריט לקבוצה לא יפה! </div>';
}elseif (empty($display)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> אם לא נציג ניתן לו שם איך יקחו אותו? </div>';
}elseif (empty($brand)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> סליחה... מי יצר את הפריט? </div>';
}elseif (empty($model)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> רגע...איזה דגם זה? </div>';
}elseif (empty($spec)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> לא מגיע שתכתוב עליו כמה מילים? </div>';
}elseif (empty($sn)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> מספר סידורי זה הכי אחי (ושלא יהיה אותו דבר כמו של פריט אחר...לא נעים..) </div>';
}elseif (empty($setname)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> אני חייב להיות בזוגיות...מה שם הסט שלי? </div>';
}elseif (empty($itemstat)){
$error = '<div class="alert alert-danger alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> לאחרונה סיימתי קשר רציני... מה הסטטוס שלי? </div>';
}else{
if(!empty(filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING)) || !empty(filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING)) || !empty($_FILES['file']['name'])) {
$uploadedFile = '';
if (!empty($_FILES["file"]["type"])) {
$fileName = $_FILES['file']['name'];
$valid_extensions = array("jpeg", "jpg", "png");
$temporary = explode(".", $_FILES["file"]["name"]);
$file_extension = end($temporary);
if ((($_FILES["file"]["type"] == "image/jpg") || ($_FILES["file"]["type"] == "image/jpeg")) && in_array($file_extension, $valid_extensions)) {
$sourcePath = $_FILES['file']['tmp_name'];
$targetPath = "items-img/" . $fileName;
if (move_uploaded_file($sourcePath, $targetPath)) {
$uploadedFile = $fileName ;
}
}
}
}
$stm = $link -> prepare("INSERT INTO item (item_desc,display,brand,model,spec,sn,set_name,status,item_pic) VALUES ('$itemtype','$display','$brand','$model','$spec','$sn','$setname','$itemstat','$uploadedFile')");
$stm->execute(array('item_desc' => $itemtype , 'display' => $display ,'brand' => $brand ,'model' => $model ,'item_desc' => $itemtype ,'spec' => $spec ,
'sn' => $sn ,'set_name' => $setname ,'status' => $itemstat ,'name' => $uploadedFile ));
$error = '<div class="alert alert-success alert-dismissable">
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button> יש לנו פריט חדש! </div>';
}
}
?>
<div>
<?= $error ?>
</div>
答案 0 :(得分:2)
您正在清理用户输入并转义字符串。仅此一项是不安全的。看一下使用准备好的语句。 http://php.net/manual/en/mysqli.prepare.php
这意味着您准备SQL语句,然后将参数绑定到该语句,然后执行该语句并将其发送到您的Dbms。一个很好的解释(带有漂亮的图表)是该线程的第三个答案。 How does a PreparedStatement avoid or prevent SQL injection?
示例代码取自第一个线程。尝试将其分解并了解其含义。它易于遵循且易于实现。
function secured_signup($username,$password)
{
$connection = new mysqli($dbhost,$dbusername,$dbpassword,$dbname);
if ($connection->connect_error)
die("Secured");
$prepared = $connection->prepare("INSERT INTO `users` ( `username` , `password` ) VALUES ( ? , ? ) ; ");
if($prepared==false)
die("Secured");
$result=$prepared->bind_param("ss",$username,$password);
if($result==false)
die("Secured");
$result=$prepared->execute();
if($result==false)
die("Secured");
$prepared->close();
$connection->close();
}
希望这对您有帮助。但是我仍然建议将其发布到堆栈交换上的代码审查中