0

可能重复:
如何防止 PHP 中的 SQL 注入?

我有这个代码

$where = '';
if (isset($_POST['lvl']) && $vals = $_POST['lvl']) {
    $where = 'WHERE ';
$first = false;
if ($vals[0] === '0') {
    $where .= 'team = "neutral"';
    unset($vals[0]);
    $first = true;
}
if (count($vals)) {
    if ($first) $where .= ' OR ';
    $where .= 'lvl IN (\'' . implode('\',\'', $vals) . '\')';
}}
    $sql = "SELECT * FROM $table $where";
$res = $DBH->prepare($sql);
$res->execute();
$num = $res->rowCount();
echo "<h2>".$num."</h2>";

它有效,但如果有人做了某事,就会发生这种情况。如何解决这个问题?

UPD:添加了 PDO 代码

4

3 回答 3

0

使用 PHPmysqli_real_escape_string()来转义值。请注意,这是mysqli因为mysql功能已折旧。

于 2013-01-26T06:01:42.520 回答
0

您需要对所有字符串值使用 PDO::quote()。
此外,当您只需要计算它们时,您永远不应该选择所有记录。让数据库为你做这件事

$where = '';
if (!empty($_POST['lvl'])) {
    $vals = $_POST['lvl'];
    $where = 'WHERE ';
    if ($vals[0] === '0') {
        $where .= "team = 'neutral'";
        unset($vals[0]);
        if ($vals) {
            $where .= " OR ";
        }
    }
    if ($vals) {
        foreach ($vals as $i => $val) {
           $vals[$i] = $DBH->quote($val);
        }
        $where .= "lvl IN (".implode(',', $vals).")";
    }
}
$sql = "SELECT count(*) as cnt FROM $table $where";
$res = $DBH->query($sql);
$res->execute();
$row = $res->fetch();
echo "<h2>".$row['num']."</h2>";

顺便说一句,使用我自己的类,代码会稍微不那么复杂,因为它不需要手动转义(虽然它使用的是 mysqli,而不是 PDO)。

$where = '';
if (!empty($_POST['lvl'])) {
    $vals = $_POST['lvl'];
    $where = 'WHERE ';
    if ($vals[0] === '0') {
        $where .= "team = 'neutral'";
        unset($vals[0]);
        if ($vals) {
            $where .= " OR ";
        }
    }
    if ($vals) {
        $where .= $db->parse("lvl IN (?a)",$vals);
    }
}
$num = $db->getOne("SELECT count(*) as cnt FROM ?n ?p",$table, $where);
echo "<h2>".$num."</h2>";
于 2013-01-26T07:00:28.267 回答
-1

使用带有命名参数的 PDO

http://php.net/manual/en/pdo.prepared-statements.php

于 2013-01-26T06:09:47.843 回答