我想知道防止或取消 SQL 注入或 URL 的最佳方法。
例如,www.mysite.com/profile.php?id=18。这种网站(如果启用了 MySQL_Error)容易受到注入的攻击。我该如何预防?mysql_real_escape_string 将被弃用,所以它很快就会没用。
我尝试了 htmlspecialchars() 但它不适用于 URL。
我想知道防止或取消 SQL 注入或 URL 的最佳方法。
例如,www.mysite.com/profile.php?id=18。这种网站(如果启用了 MySQL_Error)容易受到注入的攻击。我该如何预防?mysql_real_escape_string 将被弃用,所以它很快就会没用。
我尝试了 htmlspecialchars() 但它不适用于 URL。
您需要采取很多步骤来防止 sql 注入
看看这篇关于这个主题的文章
http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev
我希望这会帮助你走向正确的方向
<?php
//===========================================================================\\
// \\
// Copyright (c) 2000-2015 Willem Vyent. All rights reserved. \\
//---------------------------------------------------------------------------\\
// http://www.tnhteam.com/ http://www.awesomehosting.org/ \\
//---------------------------------------------------------------------------\\
// \\
// \\
// \\
// \\
// Coded by Willem Vyent \\
// This program is distributed in the hope that it will be useful, but \\
// WITHOUT ANY WARRANTY \\
// \\
// \\
//===========================================================================\\
if(!defined('FILE_PROTECT')) { // You should define this in your pages BEFORE you include this file
die('This file cannot be accessed directly!<br /><br />Dit bestand kan niet rechtstreeks worden benaderd<br /><br />Click <a href=\'http://' . $_SERVER['HTTP_HOST'] . '>here</a> to visit our homepage'); // Do not change it's a text for users who visit this document. we included a link as well...
}
// Custom error handler - collecting information
function awesome_error_handler($number, $message, $file, $line, $vars)
{
$actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
$email = "<p>An error known as number <strong>$number</strong> has been found on line <strong>$line</strong>, this error has been found in file <strong>$file</strong>. The requested URL with errors is $actual_link<br /><p> $message </p>";
$email .= "<pre>" . print_r($vars, 1) . "</pre>";
$headers = 'Content-type: text/html; charset=iso-8859-1' . "";
// Email the error to the webmaster...
error_log($email, 1, 'your-name@example.com', $headers); // Yor email here...
// Make sure that you decide how to respond to errors (on the user's side)
// Either echo an error message, or kill the entire project. It's up to you...
// The code below ensures that we only "die" if the error was more than
// just a NOTICE.
if ( ($number !== E_NOTICE) && ($number < 1024) ) {
die('Sorry, this page is broken, but our coders will fix it ASAP.'); // your message to the website user (visitor)
}
}
// Tell this script to use this error handler when errors found..
set_error_handler('awesome_error_handler');
?>
<?php
if(isset($_REQUEST["id"])){
if(!is_int($_REQUEST["id"])){
//redirect this person back to homepage
} else {
$id_raw = trim(htmlentities($_REQUEST["id"]));
$id_secure = mysql_real_escape_string($id_raw);
$sql = "SELECT * FROM databasetable WHERE id='".$id_secure."'";
}
}
?>