Mysql security testing
一、没有进行预处理的SQL语句
<?php
// 1.连接数据库
$conn = mysql_connect('127.0.0.1:3306', 'root', '518666');
if (!$conn)
{
die("Could not connect:" . mysql_error());
}
// 2.选择数据库
mysql_select_db('mysql_safe', $conn);
// 3.设置编码,注意这里是utf8而不是utf-8,如果写后者,MySQL不会识别的,会出现乱码的。
mysql_query("SET NAMES utf8");
$title = "我们的爱情";
$content = '你是/谁啊,大几\都"老梁"做做&>women<a>没';
$add_time = date("Y-m-d H:i:s");
// 转义字符
$content = mysql_real_escape_string($content);
$content = htmlspecialchars($content, ENT_COMPAT);
// 你是/谁啊,大几都做做&>women<a>没 // 自动过滤反斜杠
/*
// 4.插入一条数据
$insert_sql = "insert into post_tbl (title, content, user_id, add_time) values ('{$title}', '{$content}', '4742551', '{$add_time}')";
if(mysql_query($insert_sql))
{
echo 'ok';
}
else
{
echo "Error : " . mysql_error();
}
$ret = mysql_affected_rows();
print_r($ret);
*/
// 5.PDO预处理插入
// PDO(PHP Data Object)则是提供了一个 Abstraction Layer 来操作数据库
// 查询
$user_id = 174742;
$password = "''or '1=1'" ;
$sql = "select * from post_tbl where user_id = {$user_id} and password = {$password}";
print_r($sql);
$query = mysql_query($sql);
// $result = mysql_fetch_array($query);
$rows = array();
while($row=mysql_fetch_array($query))
{
$rows[] = $row;
}
print_r( $rows);
// 关闭数据库连接
mysql_close($conn);
/*
$str = "Bill & 'Steve'";
echo htmlspecialchars($str, ENT_COMPAT); // 只转换双引号
echo "<br>";
echo htmlspecialchars($str, ENT_QUOTES); // 转换双引号和单引号
echo "<br>";
echo htmlspecialchars($str, ENT_NOQUOTES); // 不转换任何引号
*/
/*
以上代码的 HTML 输出如下(查看源代码):
<!DOCTYPE html>
<html>
<body>
Bill & 'Steve'<br>
Bill & 'Steve'<br>
Bill & 'Steve'
</body>
</html>
以上代码的浏览器输出:
Bill & 'Steve'
Bill & 'Steve'
Bill & 'Steve'
*/
function mforum_html_tag_to_html_entity($content)
{
$content = (string)trim($content);
if(empty($content)) return '';
// $content = str_replace(' ', ' ', $content);
$content = htmlspecialchars($content, ENT_COMPAT, GB2312, false);
$content = str_replace(">", ">", $content);
$content = str_replace("<", "<", $content);
$content = str_replace("\"", """, $content);
$content = preg_replace("/\\\$/", "$", $content);
$content = preg_replace("/\r/", "", $content);
$content = str_replace("!", "!", $content);
$content = str_replace("'", "'", $content);
$content = preg_replace("/\\\/", "\", $content);
// 内容敏感词过滤
return $content;
}二、PDO处理的SQL语句
<?php
// PDO的使用
// http://blog.csdn.net/qq635785620/article/details/11284591
$dbh = new PDO('mysql:host=127.0.0.1:3306;dbname=mysql_safe', 'root', '518666');
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$dbh->exec('set names utf8');
$title = "我们的爱情";
$content = '你是/谁啊,大几\都"老梁"做做&>women<a>没' . " 测试打印号'我是单引号'哈哈";
$user_id = 174742;
$add_time = date("Y-m-d H:i:s");
// $insert_sql = "insert into post_tbl (title, content, user_id, add_time) values (:x_title, :x_content, :x_user_id, :x_add_time)";
// $stmt = $dbh->prepare($insert_sql);
// $stmt->execute(array('x_title'=>$title,':x_content'=> $content, ':x_user_id' => $user_id, ':x_add_time' => $add_time));
// 查询
$user_id = "17474#";
// $password = "''or '1=1'";
$password = 123456;
$sql = 'select * from post_tbl where user_id = :x_user_id and password = :x_password';
$stmt = $dbh->prepare($sql);
$stmt->execute(array(':x_user_id'=>$user_id, ':x_password' => $password));
$rows = array();
while($row = $stmt->fetch(PDO::FETCH_ASSOC))
{
$rows[] = $row;
}
print_r($rows);
// echo $dbh->lastinsertid();
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1377
52
MySQL: The Ease of Data Management for Beginners
Apr 09, 2025 am 12:07 AM
MySQL is suitable for beginners because it is simple to install, powerful and easy to manage data. 1. Simple installation and configuration, suitable for a variety of operating systems. 2. Support basic operations such as creating databases and tables, inserting, querying, updating and deleting data. 3. Provide advanced functions such as JOIN operations and subqueries. 4. Performance can be improved through indexing, query optimization and table partitioning. 5. Support backup, recovery and security measures to ensure data security and consistency.
Can I retrieve the database password in Navicat?
Apr 08, 2025 pm 09:51 PM
Navicat itself does not store the database password, and can only retrieve the encrypted password. Solution: 1. Check the password manager; 2. Check Navicat's "Remember Password" function; 3. Reset the database password; 4. Contact the database administrator.
How to create navicat premium
Apr 09, 2025 am 07:09 AM
Create a database using Navicat Premium: Connect to the database server and enter the connection parameters. Right-click on the server and select Create Database. Enter the name of the new database and the specified character set and collation. Connect to the new database and create the table in the Object Browser. Right-click on the table and select Insert Data to insert the data.
MySQL: Simple Concepts for Easy Learning
Apr 10, 2025 am 09:29 AM
MySQL is an open source relational database management system. 1) Create database and tables: Use the CREATEDATABASE and CREATETABLE commands. 2) Basic operations: INSERT, UPDATE, DELETE and SELECT. 3) Advanced operations: JOIN, subquery and transaction processing. 4) Debugging skills: Check syntax, data type and permissions. 5) Optimization suggestions: Use indexes, avoid SELECT* and use transactions.
MySQL and SQL: Essential Skills for Developers
Apr 10, 2025 am 09:30 AM
MySQL and SQL are essential skills for developers. 1.MySQL is an open source relational database management system, and SQL is the standard language used to manage and operate databases. 2.MySQL supports multiple storage engines through efficient data storage and retrieval functions, and SQL completes complex data operations through simple statements. 3. Examples of usage include basic queries and advanced queries, such as filtering and sorting by condition. 4. Common errors include syntax errors and performance issues, which can be optimized by checking SQL statements and using EXPLAIN commands. 5. Performance optimization techniques include using indexes, avoiding full table scanning, optimizing JOIN operations and improving code readability.
How to create a new connection to mysql in navicat
Apr 09, 2025 am 07:21 AM
You can create a new MySQL connection in Navicat by following the steps: Open the application and select New Connection (Ctrl N). Select "MySQL" as the connection type. Enter the hostname/IP address, port, username, and password. (Optional) Configure advanced options. Save the connection and enter the connection name.
How to open phpmyadmin
Apr 10, 2025 pm 10:51 PM
You can open phpMyAdmin through the following steps: 1. Log in to the website control panel; 2. Find and click the phpMyAdmin icon; 3. Enter MySQL credentials; 4. Click "Login".
How to execute sql in navicat
Apr 08, 2025 pm 11:42 PM
Steps to perform SQL in Navicat: Connect to the database. Create a SQL Editor window. Write SQL queries or scripts. Click the Run button to execute a query or script. View the results (if the query is executed).
