1.使用預處理語句和參數化查詢。(‘Use prepared statements and parameterized queries.’)?
SQL語句和查詢的參數分別發送給數據庫服務器進行解析。這種方式有2種實現:?
(1)使用PDO(PHP data object)
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array('name' => $name));
foreach ($stmtas$row) {
// do something with $row
}
(2)使用MySQLi
$stmt=$dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name);
$stmt->execute();
$result=$stmt->get_result();
while ($row=$result->fetch_assoc()) {
// do something with $row }
2.對查詢語句進行轉義(最常見的方式)
$unsafe_variable = $_POST["user-input"];
$safe_variable = mysql_real_escape_string($unsafe_variable);
mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
$mysqli = new mysqli("server", "username", "password", "database_name");
// TODO - Check that connection was successful. $unsafe_variable = $_POST["user-input"]; $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)"); // TODO check that $stmt creation succeeded // "s" means the database expects a string $stmt->bind_param("s", $unsafe_variable); $stmt->execute(); $stmt->close(); $mysqli->close();
3.限制引入的參數
$orders = array("name","price","qty"); //field names
$key = array_search($_GET['sort'],$orders)); // see if we have such a name
$orderby = $orders[$key]; //ifnot, first one will be set automatically. smart enuf :)
$query = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe
4.對引入參數進行編碼
SELECT password FROM users WHERE name = 'root' --普通方式 SELECT password FROM users WHERE name = 0x726f6f74 --防止注入 SELECT password FROM users WHERE name = UNHEX('726f6f74') --防止注入 set @INPUT = hex("%實驗%");select * from login where reset_passwd_question like unhex(@INPUT) ;
