0

嗨,我有以下声明

function count_rows($table_name, $condition = null, $debug = false)
{
    $query_result = $this->query("SELECT count(*) AS count_rows FROM " . $this->db_prefix . $table_name . " " . $condition, $debug);
    $count_rows = $this->sql_result($query_result, 0, 'count_rows');

    return $count_rows;
}

我一直在使用 sql injection me addon for firefox,它给了我错误

运行脚本时出现Mysql错误:

The query you are trying to run is invalid
Mysql Error Output: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' at line 2
SQL Query: SELECT count(*) AS count_rows FROM database_auctions a WHERE a.active=1 AND a.approved=1 AND a.deleted=0 AND a.list_in!='store' AND a.catfeat='1' AND a.closed=0 AND (a.category_id IN ())

如何针对 sql 注入清理此查询?

4

2 回答 2

1

正如您在查询的这一部分附近看到的那样:

AND (a.category_id IN ())

您实际上并没有给它一个子查询/值列表。您需要这样做以确定结果是否包含指定的 category_id。

为了帮助防止 sql 注入,我建议使用 PHP 的 mysqli 扩展。我相信他们支持准备好的陈述。通过使用prepared statements,您放弃了字符串连接的使用,服务器“准备”了sql语句,因此查询只发送到服务器一次,然后在您实际执行SQL查询时只发送参数。

http://php.net/manual/en/class.mysqli-stmt.php

http://php.net/manual/en/mysqli-stmt.prepare.php

于 2013-01-13T23:19:45.773 回答
1

看起来,当您通过时,$contidion您忘记了在a.category_id IN ()parentesis 之间的某些东西应该是值。为了避免 SQL 注入检查这个

于 2013-01-13T23:23:11.367 回答