1

In my Login forms I hash username and password before I execute the queries

... class ...

private $username;
private $password;
protected function Login(){
    $user = hash('sha256', $this->username);
    $pass = hash('sha256', $this->password);
    $this query = "..."
    ...
}

and in other kind of forms (like Search forms) I convert the strings to arrays and then I execute the queries, that way the query would look like this:

$searchstring = explode(' ', $search);
//.... Some lines of PHP code... and the resulting query is: ...
$this->query = "SELECT... WHERE name LIKE 'DELETE%' OR name LIKE 'FROM%' ";
$this->query.= " OR name LIKE 'USERS%' OR name LIKE 'WHERE%' OR name LIKE '1%'";

Is this enough to prevent sql injection? thanks

4

3 回答 3

5

不要相信自己有能力防止 SQL 注入!许多比你更好的头脑都落入了它。

使用 mysqli 或 PDO 和参数化查询。这还有一个好处,就是允许您的数据库也缓存查询计划。

于 2012-08-15T21:33:37.113 回答
0

或者,您可以将其转换为二进制:

function mssql_escape($data) {
    if(is_numeric($data))
        return $data;
    $unpacked = unpack('H*hex', $data);
    return '0x' . $unpacked['hex'];
}

...如果您不在mysql数据库上。

于 2012-08-16T00:28:55.200 回答
0

您可以采取一些非常简单的步骤来使代码更安全:

$query= mysqli_real_escape_string($database_connection, $user)

这会转义任何可能对 SQL 字符串产生不利影响的危险字符

$query = mysqli_real_escape_string($database_connection, trim($user))

在这一步中,我们添加了 trim 函数,该函数去除了任何空格 - 用于发起 SQL 注入攻击

你可以在这里看到更多关于这个的信息

于 2012-08-15T21:36:15.010 回答