搜索结果页 sql 注入保护
search result page sql injection protection
我有一个这样的搜索结果页面
<?php
error_reporting(0);
include("config_mashin.php");
$group = $_GET['group'];
$name = $_GET['name'];
$tip = $_GET['tip'];
$model =$_GET['model'];
$price1 = $_GET['price1'];
if (!empty($price1)) {
switch ($price1) {
case 1 : $price1 = " AND `price` BETWEEN 0.00 AND 10000000.00 "; break;
case 2 : $price1 = " AND `price` BETWEEN 10000001.00 AND 20000000.00 "; break;
case 3 : $price1= " AND `price` BETWEEN 200000001.00 AND 30000000.00 "; break;
case 4 : $price1 = " AND `price` BETWEEN 300000001.00 AND 40000000.00 "; break;
case 5 : $price1 = " AND `price` BETWEEN 400000001.00 AND 50000000.00 "; break;
case 6 : $price1 = " AND `price` BETWEEN 500000001.00 AND 70000000.00 "; break;
case 7 : $price1 = " AND `price` BETWEEN 700000001.00 AND 100000000.00 "; break;
case 8 : $price1 = " AND `price` BETWEEN 100000001.00 AND 150000000.00 "; break;
case 9 : $price1 = " AND `price` BETWEEN 150000001.00 AND 200000000.00 "; break;
case 10 : $price1 = " AND `price` >
200000000.00 "; break;
}
}
if (!empty($model)) {
switch ($model) {
case 1 : $model = " AND `model` BETWEEN 1375.00 AND 1380.00 "; break;
case 2 : $model = " AND `model` BETWEEN 1381.00 AND 1385.00 "; break;
case 3 : $model = " AND `model` BETWEEN 1386.00 AND 1390.00 "; break;
case 4 : $model = " AND `model` BETWEEN 1391.00 AND 1395.00 "; break;
}
}
$quer = "SELECT * FROM `caracter` WHERE
`name` LIKE '%".$name."%'
AND `tip` LIKE '%".$tip."%'
AND `group` LIKE '%".$group."%'".$model.$price1.";
$query=mysqli_query($connect,$quer)
or die(mysqli_error());
?>
<?php while($row = mysqli_fetch_array($query)):
echo"to simplify to code i dont write this part" ?>
<?php endwhile;?>
在上面的代码中,基于 select 价格或型号范围以及汽车名称和组的用户,将为他或她显示最佳结果,并且效果很好,但我想知道如何保护它来自 sql 注入
请帮助我
我不确定你的 $mysqli 长什么样,所以我使用默认值 (example #1)。只需转义这些变量:
$group = $mysqli->real_escape_string($_GET['group']);
$name = $mysqli->real_escape_string($_GET['name']);
$tip = $mysqli->real_escape_string($_GET['tip']);
由于 $price1 和 $model 被您的新字符串覆盖,因此用户无法更改它们,但我仍然建议您也使用 default: 选项(以防万一收到另一个值)。
我不知道我是否遗漏了其他任何内容,但我认为这就是您现在所需要的。
对所有变量使用mysqli_real_escape_string
$group = mysqli_real_escape_string($db, $_GET["group"]);
http://php.net/manual/en/mysqli.real-escape-string.php
防止SQL准备语句注入的推荐方法。
我有一个这样的搜索结果页面
<?php
error_reporting(0);
include("config_mashin.php");
$group = $_GET['group'];
$name = $_GET['name'];
$tip = $_GET['tip'];
$model =$_GET['model'];
$price1 = $_GET['price1'];
if (!empty($price1)) {
switch ($price1) {
case 1 : $price1 = " AND `price` BETWEEN 0.00 AND 10000000.00 "; break;
case 2 : $price1 = " AND `price` BETWEEN 10000001.00 AND 20000000.00 "; break;
case 3 : $price1= " AND `price` BETWEEN 200000001.00 AND 30000000.00 "; break;
case 4 : $price1 = " AND `price` BETWEEN 300000001.00 AND 40000000.00 "; break;
case 5 : $price1 = " AND `price` BETWEEN 400000001.00 AND 50000000.00 "; break;
case 6 : $price1 = " AND `price` BETWEEN 500000001.00 AND 70000000.00 "; break;
case 7 : $price1 = " AND `price` BETWEEN 700000001.00 AND 100000000.00 "; break;
case 8 : $price1 = " AND `price` BETWEEN 100000001.00 AND 150000000.00 "; break;
case 9 : $price1 = " AND `price` BETWEEN 150000001.00 AND 200000000.00 "; break;
case 10 : $price1 = " AND `price` >
200000000.00 "; break;
}
}
if (!empty($model)) {
switch ($model) {
case 1 : $model = " AND `model` BETWEEN 1375.00 AND 1380.00 "; break;
case 2 : $model = " AND `model` BETWEEN 1381.00 AND 1385.00 "; break;
case 3 : $model = " AND `model` BETWEEN 1386.00 AND 1390.00 "; break;
case 4 : $model = " AND `model` BETWEEN 1391.00 AND 1395.00 "; break;
}
}
$quer = "SELECT * FROM `caracter` WHERE
`name` LIKE '%".$name."%'
AND `tip` LIKE '%".$tip."%'
AND `group` LIKE '%".$group."%'".$model.$price1.";
$query=mysqli_query($connect,$quer)
or die(mysqli_error());
?>
<?php while($row = mysqli_fetch_array($query)):
echo"to simplify to code i dont write this part" ?>
<?php endwhile;?>
在上面的代码中,基于 select 价格或型号范围以及汽车名称和组的用户,将为他或她显示最佳结果,并且效果很好,但我想知道如何保护它来自 sql 注入 请帮助我
我不确定你的 $mysqli 长什么样,所以我使用默认值 (example #1)。只需转义这些变量:
$group = $mysqli->real_escape_string($_GET['group']);
$name = $mysqli->real_escape_string($_GET['name']);
$tip = $mysqli->real_escape_string($_GET['tip']);
由于 $price1 和 $model 被您的新字符串覆盖,因此用户无法更改它们,但我仍然建议您也使用 default: 选项(以防万一收到另一个值)。
我不知道我是否遗漏了其他任何内容,但我认为这就是您现在所需要的。
对所有变量使用mysqli_real_escape_string
$group = mysqli_real_escape_string($db, $_GET["group"]);
http://php.net/manual/en/mysqli.real-escape-string.php
防止SQL准备语句注入的推荐方法。