PHP 开发中有效防御 SQL 注入攻击有哪些好方法？-PHP Tutorial-php.cn

Table of Contents

回复内容：

Home

Backend Development

PHP Tutorial

PHP 开发中有效防御 SQL 注入攻击有哪些好方法？

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 04:44 PM

回复内容：

没有编译就没有注入，避免提交上来的数据被编译就可以了，参数绑定就是避免提交数据被编译的方法。使用PDO或者MySQLi，有很多封装好的方便的Class。
例如使用PHP-PDO-MySQL-Class · GitHub（这个Class使用上比较类似Python的MySQLdb）的话，这样就是安全的：

<span class="cp"><?php</span>
<span class="nv">$DB</span><span class="o">-></span><span class="na">query</span><span class="p">(</span><span class="s2">"SELECT * FROM fruit WHERE name IN (?)"</span><span class="p">,</span><span class="k">array</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'pm1'</span><span class="p">],</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'pm2'</span><span class="p">]));</span>
<span class="nv">$DB</span><span class="o">-></span><span class="na">query</span><span class="p">(</span><span class="s2">"SELECT * FROM users WHERE name=? and password=?"</span><span class="p">,</span><span class="k">array</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'name'</span><span class="p">],</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'pw'</span><span class="p">]));</span>
<span class="cp">?></span><span class="x"></span>
Copy after login

防SQL注入最好的方法就是千万不要自己拼装SQL命令和参数, 而是用PDO的prepare和bind. 
原理就在于要把你的SQL查询命令和传递的参数分开:
    > prepare的时候, DB server会把你的SQL语句解析成SQL命令.
    > bind的时候, 只是动态传参给DB Server解析好的SQL命令.

其他所有的过滤特殊字符串这种白名单的方式都是浮云.

仅仅防止sql注入的话，使用mysqli或者PDO的预编译就行了。用框架的话，要留意框架内部是怎么处理的。拼接sql语句这种做法早就该进历史的垃圾堆了。

此外PDO的预编译有个bug，在5.3.6之前还是会默认调用mysql_*进行拼接，需要设置$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);。

prepare && bind 一下即可。

简单来说，仅仅对于PHP程序的SQL注入，对输入输出的数据进行安全过滤是最主要的方法。
当然说起来简单，真正要做到很复杂，要考虑的细节和因素很多，包括编码、类型、前后逻辑等等，一个处理不慎，反而会弄巧成拙。
因此要做到程序尽可能的安全，需要程序员具有一定的安全意识和知识，从程序的最底层构建上就把安全因素考虑进去。
个人认为国内PHP安全圈的水准还是相当高的，各方面的资料也很多，推荐两个网站，里面有很多相关的资料，有兴趣的可以参考学习下：
http://80vul.com
http://bbs.wolvez.org

一律不能直接使用外来的参数，不要直接构造查询语句，使用statement进行参数填充等等

1、不要随意开启生产环境中Webserver的错误显示。
2、永远不要信任来自用户端的变量输入，有固定格式的变量一定要严格检查对应的格式，没有固定格式的变量需要对引号等特殊字符进行必要的过滤转义。
3、使用预编译绑定变量的SQL语句。
4、做好数据库帐号权限管理。
5、严格加密处理用户的机密信息。

来自 「Web安全之SQL注入攻击技巧与防范」。

给两个办法，匈牙利命名法、注入尝试探测

别瞧不起匈牙利命名法，这货的原意可不是你以为的傻瓜一样在变量名后加上类型名。真正的做法是：未做escape过滤的字符串命令按照你自己的习惯命名，escape后的字符串加上类似_f或_ss这样的suffix。习惯后在写代码的时候自然就会要求传入的字符串都是过滤过的。

注入尝试探测则比较简单：作为黑客来说如果需要进行攻击，会进行多次注入尝试，期间几乎可以肯定会构造出一个无效的sql语句，执行时就会报错了。自己写个数据库的query函数进行封装，如果发现有执行无效的sql语句则通过邮件或其他形式进行报警。

当然…担心SQL注入，都是用拼接字符串做SQL查询的土鳖程序员。正常的程序员会去找个ORM用。

我采用的方法是：
1.对团队成员进行安全培训，找出最常见的攻击方法逐个指导代码内屏蔽方式
2.用nginx之类的反向代理进行url参数过滤，基本能挡住90%的攻击
3.对磁盘文件进行高度权限设定
4.计划任务的脚本对程序源代码定期（比如每小时）执行遍历搜索，一般水平的攻击，都逃不过这个排查
5.对nginx过滤出的危险url进行程序自动分析，对于超过阈值的ip直接防火墙屏蔽

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

R.E.P.O. Best Graphic Settings

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Assassin's Creed Shadows: Seashell Riddle Solution

2 weeks ago By DDD

R.E.P.O. How to Fix Audio if You Can't Hear Anyone

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

WWE 2K25: How To Unlock Everything In MyRise

1 months ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7517

CakePHP Tutorial

1378

What is the format of the account name of steam

win11 activation key permanent

nyt connections hints and answers

Related knowledge

Alipay PHP SDK transfer error: How to solve the problem of 'Cannot declare class SignData'? Apr 01, 2025 am 07:21 AM

Alipay PHP...

Explain JSON Web Tokens (JWT) and their use case in PHP APIs. Apr 05, 2025 am 12:04 AM

JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,

Explain the concept of late static binding in PHP. Mar 21, 2025 pm 01:33 PM

Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo

Framework Security Features: Protecting against vulnerabilities. Mar 28, 2025 pm 05:11 PM

Article discusses essential security features in frameworks to protect against vulnerabilities, including input validation, authentication, and regular updates.

How to send a POST request containing JSON data using PHP's cURL library? Apr 01, 2025 pm 03:12 PM

Sending JSON data using PHP's cURL library In PHP development, it is often necessary to interact with external APIs. One of the common ways is to use cURL library to send POST�...

Customizing/Extending Frameworks: How to add custom functionality. Mar 28, 2025 pm 05:12 PM

The article discusses adding custom functionality to frameworks, focusing on understanding architecture, identifying extension points, and best practices for integration and debugging.

Describe the SOLID principles and how they apply to PHP development. Apr 03, 2025 am 12:04 AM

The application of SOLID principle in PHP development includes: 1. Single responsibility principle (SRP): Each class is responsible for only one function. 2. Open and close principle (OCP): Changes are achieved through extension rather than modification. 3. Lisch's Substitution Principle (LSP): Subclasses can replace base classes without affecting program accuracy. 4. Interface isolation principle (ISP): Use fine-grained interfaces to avoid dependencies and unused methods. 5. Dependency inversion principle (DIP): High and low-level modules rely on abstraction and are implemented through dependency injection.

How does session hijacking work and how can you mitigate it in PHP? Apr 06, 2025 am 12:02 AM

Session hijacking can be achieved through the following steps: 1. Obtain the session ID, 2. Use the session ID, 3. Keep the session active. The methods to prevent session hijacking in PHP include: 1. Use the session_regenerate_id() function to regenerate the session ID, 2. Store session data through the database, 3. Ensure that all session data is transmitted through HTTPS.

See all articles