我在MySQL表中有一个列可以是0或1.如果用户没有输入0或1,那么我只是将值设置为0.我想知道这个PHP代码是否从SQL注入“安全” :
$flag = $_GET["f"]; if ($flag != 1) $flag = 0; $sql = "SELECT * from table WHERE column=$flag"; $db->query($sql);我通常使用准备好的语句,但我想知道这段代码是否完整。 如果这可以打破,那么我想看一个例子。
I have a column in a MySQL table that can be either 0 or 1. If the user doesn't enter 0 or 1 then I just set the value to 0. I was wondering if this PHP code would be "safe" from SQL injection:
$flag = $_GET["f"]; if ($flag != 1) $flag = 0; $sql = "SELECT * from table WHERE column=$flag"; $db->query($sql);I usually use prepared statements, but I was wondering if this code is full-proof. If this can be broken, then I would like to see an example.
最满意答案
不,这不安全。 SQL注入示例: 1 OR 1 = 1
这等于1,因为(int)"1string" === 1 。
在将其传递给查询之前,我会考虑显式(int)强制转换:
$sql = "SELECT * from table WHERE column=".(int)$flag;No, it isn't safe. Example SQL injection: 1 OR 1 = 1
This is equal to 1, because (int)"1string" === 1.
I'd consider to explicitely (int) cast before passing it to the query:
$sql = "SELECT * from table WHERE column=".(int)$flag;更多推荐
发布评论