PHP保护数据库的具体代码示例
php
lost
for
code
example
Protect
specific
lead to
bring
data
database
of
Example
manage
Own
因为数据库管理不善导致数据丢失,为自己带来损失的例子不再少数。我们这次就要讲到下面代码显示了运行 SQL 语句的示例脚本。在本例中,SQL 语句是允许相同攻击的动态语句。此表单的所有者可能认为表单是安全的,因为他们已经把列名限定为选择列表。但是,代码疏忽了关于表单欺骗的最后一个习惯 — 代码将选项限定为下拉框并不意味着其他人不能够发布含有所需内容的表单(包括星号 [*])。
<ol class="dp-xml">
<li class="alt"><span><strong><font color="#006699"><span class="tag"><span class="tag-name">html</span><span class="tag">></span></span></font></strong><span> </span></span></li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">head</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">title</span><span class="tag">></span></span></font></strong><span>SQL Injection Example</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">title</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">head</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">body</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">form</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">id</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"myFrom"</font></span><span> </span><span class="attribute"><font color="#ff0000">action</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"<?php echo $_SERVER['PHP_SELF']; ?>"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">method</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"post"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">div</span><span class="tag">></span><span class="tag"><span class="tag-name">input</span></span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"text"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"account_number"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>="</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> echo(isset($_POST['account_number']) ? </span>
</li>
<li class="">
<span> $_POST['account_number'] : ''); </span><span class="tag"><strong><font color="#006699">?></font></strong></span><span>" </span><span class="tag"><strong><font color="#006699">/></font></strong></span><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">select</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"col"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">option</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"account_number"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span>Account Number</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">option</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">option</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"name"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span>Name</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">option</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">option</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"address"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span>Address</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">option</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">select</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">input</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"Save"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span><strong><font color="#006699"><span class="tag">/></span><span class="tag"></span><span class="tag-name">div</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">form</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> </span>
</li>
<li class="alt"><span>if ($_POST['submit'] == 'Save') { </span></li>
<li class=""><span> /* do the form processing */ </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">link</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_connect</font></span><span>('hostname', 'user', 'password') or </span>
</li>
<li class=""><span> die ('Could not connect' . mysql_error()); </span></li>
<li class="alt"><span> mysql_select_db('test', $link); </span></li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">col</font></span><span> = $_POST['col']; </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">select</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">"SELECT "</font></span><span> . $col . " FROM account_data WHERE </span><span class="attribute"><font color="#ff0000">account_number</font></span><span> = " </span>
</li>
<li class=""><span> . $_POST['account_number'] . ";" ; </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . $select . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">result</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_query</font></span><span>($select) or die('</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . mysql_error() . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'); </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">table</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> while ($</span><span class="attribute"><font color="#ff0000">row</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_fetch_assoc</font></span><span>($result)) { </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">tr</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row[$col] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">tr</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> } </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">table</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> </span></li>
<li class="alt"><span> mysql_close($link); </span></li>
<li class=""><span>} </span></li>
<li class="alt">
<span></span><span class="tag"><strong><font color="#006699">?></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">body</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">html</span><span class="tag">></span></font></strong><span> </span>
</li>
</ol>Copy after login
因此,要形成PHP保护数据库的习惯,请尽可能避免使用动态 SQL 代码。如果无法避免动态 SQL 代码,请不要对列直接使用输入。下面则显示了除使用静态列外,还可以向帐户编号字段添加简单验证例程以确保输入值不是非数字值。
<ol class="dp-xml">
<li class="alt"><span><strong><font color="#006699"><span class="tag"><span class="tag-name">html</span><span class="tag">></span></span></font></strong><span> </span></span></li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">head</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">title</span><span class="tag">></span></span></font></strong><span>SQL Injection Example</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">title</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">head</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">body</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">form</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">id</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"myFrom"</font></span><span> </span><span class="attribute"><font color="#ff0000">action</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"<?php echo $_SERVER['PHP_SELF']; ?>"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">method</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"post"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">div</span><span class="tag">></span><span class="tag"><span class="tag-name">input</span></span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"text"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"account_number"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>="</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> echo(isset($_POST['account_number']) ? </span>
</li>
<li class="">
<span> $_POST['account_number'] : ''); </span><span class="tag"><strong><font color="#006699">?></font></strong></span><span>" </span><span class="tag"><strong><font color="#006699">/></font></strong></span><span> </span><strong><font color="#006699"><span class="tag"><span class="tag-name">input</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"Save"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span><strong><font color="#006699"><span class="tag">/></span><span class="tag"></span><span class="tag-name">div</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">form</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> </span>
</li>
<li class=""><span>function isValidAccountNumber($number) </span></li>
<li class="alt"><span>{ </span></li>
<li class=""><span> return is_numeric($number); </span></li>
<li class="alt"><span>} </span></li>
<li class=""><span>if ($_POST['submit'] == 'Save') { </span></li>
<li class="alt"><span> </span></li>
<li class=""><span> /* Remember habit #1--validate your data! */ </span></li>
<li class="alt"><span> if (isset($_POST['account_number']) & </span></li>
<li class=""><span> isValidAccountNumber($_POST['account_number'])) { </span></li>
<li class="alt"><span> </span></li>
<li class=""><span> /* do the form processing */ </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">link</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_connect</font></span><span>('hostname', 'user', 'password') or </span>
</li>
<li class=""><span> die ('Could not connect' . mysql_error()); </span></li>
<li class="alt"><span> mysql_select_db('test', $link); </span></li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">select</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">sprintf</font></span><span>("SELECT account_number, name, address " . </span>
</li>
<li class="">
<span> " FROM account_data WHERE </span><span class="attribute"><font color="#ff0000">account_number</font></span><span> = %s;", </span>
</li>
<li class="alt"><span> mysql_real_escape_string($_POST['account_number'])); </span></li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . $select . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">result</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_query</font></span><span>($select) or die('</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . mysql_error() . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'); </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">table</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> while ($</span><span class="attribute"><font color="#ff0000">row</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_fetch_assoc</font></span><span>($result)) { </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">tr</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row['account_number'] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row['name'] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row['address'] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">tr</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> } </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">table</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> </span></li>
<li class="alt"><span> mysql_close($link); </span></li>
<li class=""><span> } else { </span></li>
<li class="alt">
<span> echo "</span><strong><font color="#006699"><span class="tag"><span class="tag-name">span</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">style</font></span><span>="font-color:red"</span><span class="tag"><strong><font color="#006699">></font></strong></span><span>" . </span>
</li>
<li class="">
<span> "Please supply a valid account number!</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">span</span><span class="tag">></span></font></strong><span>"; </span>
</li>
<li class="alt"><span> </span></li>
<li class=""><span> } </span></li>
<li class="alt"><span>} </span></li>
<li class="">
<span></span><span class="tag"><strong><font color="#006699">?></font></strong></span><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">body</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">html</span><span class="tag">></span></font></strong><span> </span>
</li>
</ol>Copy after login
在这次PHP保护数据库的例子中还展示了 mysql_real_escape_string() 函数的用法。此函数将正确地过滤您的输入,因此它不包括无效字符。如果您一直依赖于 magic_quotes_gpc,那么需要注意它已被弃用并且将在 PHP V6 中删除。从现在开始应避免使用它并在此情况下编写安全的 PHP 应用程序。此外,如果使用的是 ISP,则有可能您的 ISP 没有启用 magic_quotes_gpc。
最后,在改进的PHP保护数据库示例中,您可以看到该 SQL 语句和输出没有包括动态列选项。使用这种方法,如果把列添加到稍后含有不同信息的表中,则可以输出这些列。如果要使用框架以与数据库结合使用,则您的框架可能已经为您执行了 SQL 验证。确保查阅文档以保证框架的安全性;如果仍然不确定,请进行验证以确保稳妥。即使使用框架进行数据库交互,仍然需要执行其他验证。
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks ago
By 尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
1 months ago
By 尊渡假赌尊渡假赌尊渡假赌
How Long Does It Take To Beat Split Fiction?
4 weeks ago
By DDD
R.E.P.O. Save File Location: Where Is It & How to Protect It?
4 weeks ago
By DDD
Two Point Museum: All Exhibits And Where To Find Them
1 months ago
By 尊渡假赌尊渡假赌尊渡假赌
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
CakePHP Project Configuration
Sep 10, 2024 pm 05:25 PM
In this chapter, we will understand the Environment Variables, General Configuration, Database Configuration and Email Configuration in CakePHP.
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
CakePHP Date and Time
Sep 10, 2024 pm 05:27 PM
To work with date and time in cakephp4, we are going to make use of the available FrozenTime class.
CakePHP File upload
Sep 10, 2024 pm 05:27 PM
To work on file upload we are going to use the form helper. Here, is an example for file upload.
CakePHP Routing
Sep 10, 2024 pm 05:25 PM
In this chapter, we are going to learn the following topics related to routing ?
Discuss CakePHP
Sep 10, 2024 pm 05:28 PM
CakePHP is an open-source framework for PHP. It is intended to make developing, deploying and maintaining applications much easier. CakePHP is based on a MVC-like architecture that is both powerful and easy to grasp. Models, Views, and Controllers gu
CakePHP Creating Validators
Sep 10, 2024 pm 05:26 PM
Validator can be created by adding the following two lines in the controller.
CakePHP Working with Database
Sep 10, 2024 pm 05:25 PM
Working with database in CakePHP is very easy. We will understand the CRUD (Create, Read, Update, Delete) operations in this chapter.
