我在本地主机上有一个简单的注册表单(仍在测试中),我想知道它是否可以被SQL注入攻击?
I've a simple registration form on my localhost (still testing), and I am wondering if it can be attacked by SQL injection?
代码:
$name = mysql_real_escape_string($_POST['name']); $password = mysql_real_escape_string($_POST['password']); $password = md5($password); $email = mysql_real_escape_string($_POST['email']); $refId = $_GET['refid']; $ip = $_SERVER['REMOTE_ADDR']; $add = mysql_query("INSERT INTO `users` (`name`, `password`, `email`, `refId`, `ip`) VALUES('$name','$password','$email','$refId', '$ip')") or die(mysql_error());这样安全吗?或者有人可以使用SQL注入(我想知道怎么做)?如何避免注射?
Is that safe or can someone use SQL injection (I'd like to know how)? How can I avoid injection?
推荐答案避免注入的最佳方法是使用准备好的声明. 对于准备好的语句,我更喜欢使用PDO处理所有数据库内容.这是我编写的一些PDO示例代码,用于检索一些基本的登录信息:
The best way to avoid injections is to use Prepared Statements. For prepared Statements I prefer to use PDO to handle all my DB stuff. here is some PDO sample code I wrote to retrieve some basic login information:
$sql=new PDO("mysql:host=127.0.0.1;dbname=name","user","password"); $user=$_POST[user]; $query="select Salt,Passwd from User where Name=:user"; $stmt=$sql->prepare($query); $stmt->bindParam(':user',$user); $stmt->execute(); $dr=$stmt->fetch(); $sql=null; $password=$_POST[pass]; $salt=$dr['Salt'];...等等
阅读此页面,以获取有关PDO的更多信息.如果您想知道这里每一行的代码在做什么,请阅读此我在另一篇文章中给出的答案.
Read this page for more information on PDO. If you want to know what each line of code here is doing, read this answer I gave to another post.
更多推荐
避免在注册表格php中进行SQL注入
发布评论