最实用有效的PHP中防止SQL注入
SQL注入攻击的概念及危害我相信大家都有所了解,如果不了解的请自己度娘,下面我们来学习一下在php中如何有效的防止
问题描述:
如果用户输入的数据在未经处理的情况下插入到一条SQL查询语句,那么应用将很可能遭受到SQL注入攻击,正如下面的例子:
$unsafe_variable = $_POST['user_input'];
mysql_query("INSERT INTO `table` (`column`) VALUES ('" . $unsafe_variable . "')");
因为用户的输入可能是这样的:
value'); DROP TABLE table;--
那么SQL查询将变成如下:
INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')
应该采取哪些有效的方法来防止SQL注入?
最佳回答(来自Theo):
使用预处理语句和参数化查询。预处理语句和参数分别发送到数据库服务器进行解析,参数将会被当作普通字符处理。这种方式使得攻击者无法注入恶意的SQL。 你有两种选择来实现该方法:
1、使用PDO:
1 2 3 4 5 |
|
2、使用mysqli:
1 2 3 4 5 6 7 |
|
PDO
注意,在默认情况使用PDO并没有让MySQL数据库执行真正的预处理语句(原因见下文)。为了解决这个问题,你应该禁止PDO模拟预处理语句。一个正确使用PDO创建数据库连接的例子如下:
1 2 3 |
|
在上面的例子中,报错模式(ATTR_ERRMODE)并不是必须的,但建议加上它。这样,当发生致命错误(Fatal Error)时,脚本就不会停止运行,而是给了程序员一个捕获PDOExceptions的机会,以便对错误进行妥善处理。 然而,第一个setAttribute()调用是必须的,它禁止PDO模拟预处理语句,而使用真正的预处理语句,即有MySQL执行预处理语句。这能确保语句和参数在发送给MySQL之前没有被PHP处理过,这将使得攻击者无法注入恶意SQL。了解原因,可参考这篇博文:PDO防注入原理分析以及使用PDO的注意事项。 注意在老版本的PHP(<5.3.6),你无法通过在PDO的构造器的DSN上设置字符集,参考:silently ignored the charset parameter。
解析
当你将SQL语句发送给数据库服务器进行预处理和解析时发生了什么?通过指定占位符(一个?或者一个上面例子中命名的 :name),告诉数据库引擎你想在哪里进行过滤。当你调用execute的时候,预处理语句将会与你指定的参数值结合。 关键点就在这里:参数的值是和经过解析的SQL语句结合到一起,而不是SQL字符串。SQL注入是通过触发脚本在构造SQL语句时包含恶意的字符串。所以,通过将SQL语句和参数分开,你防止了SQL注入的风险。任何你发送的参数的值都将被当作普通字符串,而不会被数据库服务器解析。回到上面的例子,如果$name变量的值为 ’Sarah’; DELETE FROM employees ,那么实际的查询将是在 employees 中查找 name 字段值为 ’Sarah’; DELETE FROM employees 的记录。 另一个使用预处理语句的好处是:如果你在同一次数据库连接会话中执行同样的语句许多次,它将只被解析一次,这可以提升一点执行速度。 如果你想问插入该如何做,请看下面这个例子(使用PDO):
1 2 |
|
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
What is the difference between using foreach and iterator to delete elements when traversing Java ArrayList?
Apr 27, 2023 pm 03:40 PM
1. The difference between Iterator and foreach is the polymorphic difference (the bottom layer of foreach is Iterator) Iterator is an interface type, it does not care about the type of collection or array; both for and foreach need to know the type of collection first, even the type of elements in the collection; 1. Why is it said that the bottom layer of foreach is the code written by Iterator: Decompiled code: 2. The difference between remove in foreach and iterator. First, look at the Alibaba Java Development Manual, but no error will be reported in case 1, and an error will be reported in case 2 (java. util.ConcurrentModificationException) first
How to determine the number of foreach loop in php
Jul 10, 2023 pm 02:18 PM
The steps for PHP to determine the number of the foreach loop: 1. Create an array of "$fruits"; 2. Create a counter variable "$counter" with an initial value of 0; 3. Use "foreach" to loop through the array, and Increase the value of the counter variable in the loop body, and then output each element and their index; 4. Output the value of the counter variable outside the "foreach" loop to confirm which element the loop reaches.
PHP returns an array with key values flipped
Mar 21, 2024 pm 02:10 PM
This article will explain in detail how PHP returns an array after key value flipping. The editor thinks it is quite practical, so I share it with you as a reference. I hope you can gain something after reading this article. PHP Key Value Flip Array Key value flip is an operation on an array that swaps the keys and values in the array to generate a new array with the original key as the value and the original value as the key. Implementation method In PHP, you can perform key-value flipping of an array through the following methods: array_flip() function: The array_flip() function is specially used for key-value flipping operations. It receives an array as argument and returns a new array with the keys and values swapped. $original_array=[
PHP returns the current element in an array
Mar 21, 2024 pm 12:36 PM
This article will explain in detail about the current element in the array returned by PHP. The editor thinks it is very practical, so I share it with you as a reference. I hope you can gain something after reading this article. Get the current element in a PHP array PHP provides a variety of methods for accessing and manipulating arrays, including getting the current element in an array. The following introduces several commonly used techniques: 1. current() function The current() function returns the element currently pointed to by the internal pointer of the array. The pointer initially points to the first element of the array. Use the following syntax: $currentElement=current($array);2.key() function key() function returns the array internal pointer currently pointing to the element
How to correctly handle Chinese character encoding in Tomcat
Dec 28, 2023 pm 01:20 PM
How to correctly handle Chinese character encoding in Tomcat During the web development process, we often encounter the problem of handling Chinese character encoding. As a commonly used JavaWeb server, Tomcat also has some things to pay attention to when dealing with Chinese character encoding. This article will introduce how to correctly handle Chinese character encoding in Tomcat and provide corresponding code examples. 1. Understanding character encoding First, we need to understand the concept of character encoding. Character encoding is a way of mapping characters into binary data. Common
What is the difference between foreach and for loop
Jan 05, 2023 pm 04:26 PM
Difference: 1. for loops through each data element through the index, while forEach loops through the data elements of the array through the JS underlying program; 2. for can terminate the execution of the loop through the break keyword, but forEach cannot; 3. for can control the execution of the loop by controlling the value of the loop variable, but forEach cannot; 4. for can call loop variables outside the loop, but forEach cannot call loop variables outside the loop; 5. The execution efficiency of for is higher than forEach.
How to iterate through the properties of an object using the forEach function?
Nov 18, 2023 pm 06:10 PM
How to iterate through the properties of an object using the forEach function? In JavaScript, we often need to traverse the properties of objects. If you want to use a concise way to iterate over the properties of an object, the forEach function is a very good choice. In this article, we will explain how to use the forEach function to iterate over the properties of an object and provide specific code examples. First, let's understand the basic usage of the forEach function. forEach function is Java
PHP programming tips: Learn the simple method of processing the first character on the right
Mar 02, 2024 am 08:09 AM
PHP programming tips: Learn a simple method of processing the first character on the right side. In PHP programming, you often encounter situations where you need to process strings. Among them, processing the first character on the right side of a string is a common requirement. This article will introduce a simple and practical method to help you easily handle the operation of the first character on the right side of a string. We will combine it with specific code examples to help you better master this technique. In PHP, you can use the built-in string processing functions to get the first character on the right side of a string. Among them, commonly used
