1

我很难将撇号传递到我的自动完成中。数据库包含不带撇号的条目...而是使用 html 等效项 (&POUND039;)。我对 ajax 还是很陌生,所以我非常感谢您的帮助。问题是,我如何传入撇号的值并使其匹配?另外,我的代码容易受到注入攻击吗?在此先感谢您的帮助!

代码是这样的:

<script type="text/javascript">
var options = {
        serviceUrl:'autocomplete/autoQuery.php',
            minChars:2, 
            delimiter: /(,|;)\s*/, // regex or character
            maxHeight:400,
            width:500,
            zIndex: 9999,
            deferRequestBy: 0, //miliseconds
            params: { country:'Yes' }, //aditional parameters
            noCache: false, //default is false, set to true to disable caching
            // callback function:
            // onSelect: function(value, data){ alert('You selected: ' + value + ', ' + data); },
            onSelect: function(value, data){ window.location = "textbooks.php?bk=" + data;}
    }; 
$('#query').autocomplete(options);
</script>

我有一个 php 脚本发回查询结果。该页面称为 query.php,代码如下:

$get = htmlentities($_GET['query']);
$query = "SELECT title,author,id,isbn10,isbn13 FROM textbook
        WHERE title LIKE '%" . $get . "%'
        OR author LIKE '" . $get . "%'
        OR isbn10 LIKE '" . $get . "%'
        OR isbn13 LIKE '" . $get . "%'
        LIMIT 5
        ";
$result = mysql_query($query,$connection);
if(mysql_num_rows($result) == 0){
$resString = "'No result found. Click here',";
$idString = "'unknown',";
}else{
$resString = "";
$idString = "";
while($data = mysql_fetch_array($result)){
    $resString .= "'" . $data['title'] . " by " . $data['author'] . "',";
    $idString .= "'" . $data['id'] . "',";
}   
}

$resString = rtrim($resString, ',');
$idString = rtrim($idString, ',');
$code = "{\n";
$code .= "query:'" . $get . "',\n";
$code .= "suggestions:[" . $resString . "],\n";
$code .= "data:[" . $idString . "]\n";
$code .= "}";
echo $code;
4

1 回答 1

1

您的脚本本身很容易受到 SQL 注入的影响,因为它是$get未转义的。htmlentities()你拥有它的方式不会对引号进行编码。

先修复数据:

不建议将编码值存储在数据库中(尤其是不奇怪编码的值,例如&POUND039)。所以我建议的第一件事是用实际的撇号替换数据库中的这些值。

UPDATE textbook 
SET 
  title = REPLACE(title, '&POUND039', '\''),
  author = REPLACE(author, '&POUND039', '\''),
  etc...

然后不要使用( 顺便说一句,除非您传递常量,htmlentities()否则不会对引号进行编码,而是传入一个正确转义的 string ,它将匹配数据库中的常规单引号。注意,转义包含文字的字符串还有其他问题并在语句中使用,所以这只是可以做的最低限度的事情。ENT_QUOTES$get%_LIKE

$get = mysql_real_escape_string($_GET['query']);
$query = "SELECT title,author,id,isbn10,isbn13 FROM textbook
        WHERE title LIKE '%" . $get . "%'
        OR author LIKE '" . $get . "%'
        OR isbn10 LIKE '" . $get . "%'
        OR isbn13 LIKE '" . $get . "%'
        LIMIT 5
        ";

真正的解决方案:

但是,正如评论中所建议的那样,如果您使用 PDO 和绑定参数,这一切都会更加顺利并且无需担心注入:

// PDO connection information omitted...
$query = "SELECT title,author,id,isbn10,isbn13 FROM textbook
        WHERE title LIKE CONCAT('%', :get, '%')
        OR author LIKE CONCAT(:get, '%')
        OR isbn10 LIKE CONCAT(:get, '%')
        OR isbn13 LIKE CONCAT(:get, '%')
        LIMIT 5
        ";

$stmt = $db->prepare($query);
$stmt->execute(array(':get', $_GET['query']);
while ($data = $stmt->fetch(PDO::FETCH_ASSOC)) {
  $resString .= "'" . $data['title'] . " by " . $data['author'] . "',";
  $idString .= "'" . $data['id'] . "',";
}
// etc...
于 2012-04-07T13:27:22.027 回答