此查询是否受到 sql 注入的保护?
Is this query secured from sql injection?
我想知道这个 sql 查询是否受到 sql 注入的保护,如果没问题,或者我应该修改一些东西。
我尝试从 GET 绑定 id,如果一切正常,我将使用该 id 的实际查询。
if(isset($_GET['id']) && $_GET['id'] != null) {
$id = $_GET['id'];
$stmt = $mysqli->prepare('SELECT id FROM maps WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
if (mysqli_num_rows($result) == 1) {
$row = $result->fetch_assoc();
$secid = $row["id"];
} else {
header("LOCATION: index.php");
}
$sql = "SELECT
maps.id,
maps.name,
maps.description,
maps.date,
maps.mcversion,
maps.mapid,
maps.category,
maps.format,
maps.userid,
users.username,
users.rank,
users.verified,
users.mc_username,
(SELECT COUNT(*) FROM likes WHERE likes.mapid = maps.id) AS likes,
(SELECT COUNT(*) FROM downloads WHERE downloads.mapid = maps.id) AS downloads,
(SELECT COUNT(*) FROM subscribe WHERE subscribe.channelid = maps.userid) AS subscribes,
(SELECT COUNT(*) FROM views WHERE views.mapid = maps.id) AS views
FROM maps
INNER JOIN users
ON maps.userid = users.id
WHERE maps.id = '$secid'";
$result = mysqli_query($con,$sql);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
} else {
header("LOCATION: index.php");
}
} else {
header("LOCATION: index.php");
}
一般经验法则:如果您的查询有变量插值,就像 $secid 一样,那么可能没有。
使用带有占位符值的准备好的语句来确保您没有注入问题。其他任何事情都需要您手动调查和验证。 细心周到.
由于 $secid 来自数据库,因此您无法确定它是什么。那可能是一个 VARCHAR 列,或者如果现在不是,它 可能在将来 。这就是 SQL 注入成为永久威胁的原因。今天 well-founded 的假设以后可能会被证明是危险的。
在这种特殊情况下,没有理由不使用占位符值。第一个查询具有可疑的实用性。第二个可以而且应该使用完全相同的方法,其中 ? 出现而不是值。
As a way of forcing yourself to write safe code, only use single quoted strings when defining queries. This way any accidental SQL injection becomes harmless, you'll instead get literal $ values showing up in your database instead of user data, and these are very easy to spot in testing. SQL injection bugs aren't unless you go looking for them.
这是更好的解决方案吧?
if(isset($_GET['id']) && $_GET['id'] != null) {
$id = $_GET['id'];
$stmt = $mysqli->prepare("SELECT
maps.id,
maps.name,
maps.description,
maps.date,
maps.mcversion,
maps.mapid,
maps.category,
maps.format,
maps.userid,
users.username,
users.rank,
users.verified,
users.mc_username,
(SELECT COUNT(*) FROM likes WHERE likes.mapid = maps.id) AS likes,
(SELECT COUNT(*) FROM downloads WHERE downloads.mapid = maps.id) AS downloads,
(SELECT COUNT(*) FROM subscribe WHERE subscribe.channelid = maps.userid) AS subscribes,
(SELECT COUNT(*) FROM views WHERE views.mapid = maps.id) AS views
FROM maps
INNER JOIN users
ON maps.userid = users.id
WHERE maps.id = ?");
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
if (mysqli_num_rows($result) == 1) {
$row = $result->fetch_assoc();
} else {
header("LOCATION: index.php");
die();
}
} else {
header("LOCATION: index.php");
die();
}
我想知道这个 sql 查询是否受到 sql 注入的保护,如果没问题,或者我应该修改一些东西。
我尝试从 GET 绑定 id,如果一切正常,我将使用该 id 的实际查询。
if(isset($_GET['id']) && $_GET['id'] != null) {
$id = $_GET['id'];
$stmt = $mysqli->prepare('SELECT id FROM maps WHERE id = ?');
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
if (mysqli_num_rows($result) == 1) {
$row = $result->fetch_assoc();
$secid = $row["id"];
} else {
header("LOCATION: index.php");
}
$sql = "SELECT
maps.id,
maps.name,
maps.description,
maps.date,
maps.mcversion,
maps.mapid,
maps.category,
maps.format,
maps.userid,
users.username,
users.rank,
users.verified,
users.mc_username,
(SELECT COUNT(*) FROM likes WHERE likes.mapid = maps.id) AS likes,
(SELECT COUNT(*) FROM downloads WHERE downloads.mapid = maps.id) AS downloads,
(SELECT COUNT(*) FROM subscribe WHERE subscribe.channelid = maps.userid) AS subscribes,
(SELECT COUNT(*) FROM views WHERE views.mapid = maps.id) AS views
FROM maps
INNER JOIN users
ON maps.userid = users.id
WHERE maps.id = '$secid'";
$result = mysqli_query($con,$sql);
if (mysqli_num_rows($result) > 0) {
$row = mysqli_fetch_assoc($result);
} else {
header("LOCATION: index.php");
}
} else {
header("LOCATION: index.php");
}
一般经验法则:如果您的查询有变量插值,就像 $secid 一样,那么可能没有。
使用带有占位符值的准备好的语句来确保您没有注入问题。其他任何事情都需要您手动调查和验证。 细心周到.
由于 $secid 来自数据库,因此您无法确定它是什么。那可能是一个 VARCHAR 列,或者如果现在不是,它 可能在将来 。这就是 SQL 注入成为永久威胁的原因。今天 well-founded 的假设以后可能会被证明是危险的。
在这种特殊情况下,没有理由不使用占位符值。第一个查询具有可疑的实用性。第二个可以而且应该使用完全相同的方法,其中 ? 出现而不是值。
As a way of forcing yourself to write safe code, only use single quoted strings when defining queries. This way any accidental SQL injection becomes harmless, you'll instead get literal $ values showing up in your database instead of user data, and these are very easy to spot in testing. SQL injection bugs aren't unless you go looking for them.
这是更好的解决方案吧?
if(isset($_GET['id']) && $_GET['id'] != null) {
$id = $_GET['id'];
$stmt = $mysqli->prepare("SELECT
maps.id,
maps.name,
maps.description,
maps.date,
maps.mcversion,
maps.mapid,
maps.category,
maps.format,
maps.userid,
users.username,
users.rank,
users.verified,
users.mc_username,
(SELECT COUNT(*) FROM likes WHERE likes.mapid = maps.id) AS likes,
(SELECT COUNT(*) FROM downloads WHERE downloads.mapid = maps.id) AS downloads,
(SELECT COUNT(*) FROM subscribe WHERE subscribe.channelid = maps.userid) AS subscribes,
(SELECT COUNT(*) FROM views WHERE views.mapid = maps.id) AS views
FROM maps
INNER JOIN users
ON maps.userid = users.id
WHERE maps.id = ?");
$stmt->bind_param('i', $id);
$stmt->execute();
$result = $stmt->get_result();
if (mysqli_num_rows($result) == 1) {
$row = $result->fetch_assoc();
} else {
header("LOCATION: index.php");
die();
}
} else {
header("LOCATION: index.php");
die();
}