我怎样才能使这个插入安全地免受 MySQL 注入？

Question

我是 PHP 和数据库编程的新手，一直在尝试将数据从表单添加到 MySQL 数据库。它工作正常，但这对我的 MySQL 注入开放吗？我读过很多教程，我在想 PDO 准备好的语句。例如，如何为我的评论字段执行此操作？该字段（它是一个文本字段）将完全开放给用户想要输入的任何内容。我怎样才能写这个以使其更安全？

<?php
ob_start();
$username = 'name'; 
$password = 'pass'; 
$host = 'localhost'; 
$dbname = 'map';



try {
$dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
// set the PDO error mode to exception
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "INSERT INTO Incidents (


        protocol,
        jurisdiction,
        date,
        time,
        comments,
        video,
        lat,
        lng



            )

        VALUES (


        '".$_POST["protocol"]."',
        '".$_POST["jurisdiction"]."',
        '".$_POST["date"]."',
        '".$_POST["time"]."',
        '".$_POST["comments"]."',
        '".$_POST["video"]."',
        '".$_POST["lat"]."',
        '".$_POST["lng"]."'


        )

        ";

// use exec() because no results are returned
$dbh->exec($sql);
header("Location: map1.php"); 

}
catch(PDOException $e)
{
echo $sql . "<br>" . $e->getMessage();
}

$dbh = null;




ob_end_flush();
?>

Answer 1

您已经在使用 PDO，这非常好。

但是，您还应该使用准备好的语句应该是 SQL 注入证明。查看此 link 了解更多信息：http://php.net/manual/en/pdo.prepared-statements.php

来自文档的插入示例：

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);

// insert one row
$name = 'one';
$value = 1;
$stmt->execute();

Answer 2

你应该使用准备语句。

好吧，这样做：

new PDO("mysql:host=$host;dbname=$dbname", $username, $password);

$sql = 'SELECT name, colour, calories
    FROM fruit
    WHERE calories < :calories AND colour = :colour';

$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));

$sth->execute(array(':calories' => $variable, ':colour' => $color ));

$red = $sth->fetchAll();

$sth->execute(array(':calories' => 175, ':colour' => 'yellow'));

$yellow = $sth->fetchAll();

示例最初取自php.net

您可以在此处阅读更多相关信息：http://php.net/manual/en/pdo.prepare.php

Answer 3

1) Use PDO
2) Escape all the special characters
3) Use parameterized queries

参考这个How can I prevent SQL injection in PHP?

Answer 4

PDO 已经很安全了。现在您可以使用 bindParam() 来提高安全性，例如：

<?php
 ob_start();
 $username = 'name'; 
 $password = 'pass'; 
 $host = 'localhost'; 
 $dbname = 'map';

try {
 $dbh = new PDO("mysql:host=$host;dbname=$dbname", $username, $password);
 // set the PDO error mode to exception
 $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

 $sql = "INSERT INTO Incidents SET protocol = ?, jurisdiction = ?, date = ?, time = ?, comments = ?, video = ?, lat = ?, lng = ? ";
 $smt->$dbh->prepare($sql);
 $smt->bindParam(1, $_POST["protocol"]);
 $smt->bindParam(2, $_POST["jurisdiction"]);
 $smt->bindParam(3, $_POST["date"]);
 $smt->bindParam(4, $_POST["time"]);
 $smt->bindParam(5, $_POST["comments"]);
 $smt->bindParam(6, $_POST["video"]);
 $smt->bindParam(7, $_POST["lat"]);
 $smt->bindParam(8, $_POST["lng"]);

 // use exec() because no results are returned
 $smt->execute();
 if($smt->rowCount()) { // if insertion success
   header("Location: map1.php"); 
 }

}
catch(PDOException $e) {
   echo $sql . "<br>" . $e->getMessage();
}

 $dbh = null;

 ob_end_flush();
?>

我怎样才能使这个插入安全地免受 MySQL 注入？

How can I make this insertion secure from MySQL injection?

php

mysql

sql-injection