-1

想知道是否有人可以帮助我增加对 PHP 编码的保护,这是非常基本的,需要一些防御。

我希望我已经提供了足够的详细信息来说明我需要帮助的内容,非常感谢!

 <?php
    //This is only displayed if they have submitted the form 

    if ($searching =="yes")  {
        echo "<h2>Results</h2><p>";
        //If they did not enter a search term we give them an error 

        if ($find == "")
        if ($f == "")
        if ($info == "")
        if ($zip == "")
        if ($state == "")
        if ($email == "")
        if ($address == "")
        {
            echo "<p>You forgot to enter a search term";
            exit;
        }

        // Otherwise we connect to our Database 
        mysql_connect("xx.xx.xx", "xxxx", "xxxxx") or die(mysql_error());
        mysql_select_db("xxxxx") or die(mysql_error());
        // We preform a bit of filtering 
        $find = strtoupper($find);
        $find = strip_tags($find);
        $find = trim ($find);
        $f = strtoupper($f);
        $f = strip_tags($f);
        $f = trim ($f);
        $info = strtoupper($info);
        $info = strip_tags($info);
        $info = trim ($info);
        $zip = strtoupper($zip);
        $zip = strip_tags($zip);
        $zip = trim ($zip);

        $state = strtoupper($state);
        $state = strip_tags($state);
        $state = trim ($state);

        $email = strtoupper($email);
        $email = strip_tags($email);
        $email = trim ($email);

        $address = strtoupper($address);
        $address = strip_tags($address);
        $address = trim ($address);
        //Now we search for our search term, in the field the user specified 
$data = mysql_query("SELECT * FROM users WHERE fname 
LIKE '%" . mysql_real_escape_string($find)      . "%' AND lname 
LIKE '%" . mysql_real_escape_string($f)         . "%' AND info 
LIKE '%" . mysql_real_escape_string($info)      . "%' AND zip 
LIKE '%" . mysql_real_escape_string($zip)       . "%' AND state
LIKE '%" . mysql_real_escape_string($state)     . "%' AND email 
LIKE '%" . mysql_real_escape_string($email)     . "%' AND address 
LIKE '%" . mysql_real_escape_string($address)   . "%'");
 //And we display the results 
 while($result = mysql_fetch_array( $data ))
 { 
 echo $result['fname']; 
 echo "<br>"; 
 echo $result['lname']; 
 echo "<br>"; 
 echo $result['info']; 
 echo "<br>"; 
 echo $result['zip']; 
 echo "<br>"; 
 echo $result['state']; 
 echo "<br>"; 
 echo $result['email']; 
 echo "<br>"; 
  echo $result['address']; 
 echo "<br>"; 
 } 
 //This counts the number or results - and if there wasn't any it gives them a little message explaining that 
 $anymatches=mysql_num_rows($data); 
 if ($anymatches == 0) 
 { 
 echo "Sorry, but we can not find an entry to match your query<br><br>"; 
 } 
 //And we remind them what they searched for 
 echo "<b>Searched For:
        </b> " .$find; 
 } 
 ?>
4

4 回答 4

-1

Don't use the mysql functions anymore, they are deprecated.

Instead use the mysqli or the pdo class.

For more detail, take a look at this stackoverflow post

How can I prevent SQL injection in PHP?

Beside that, you code is very ugly. Try to seperate your logik from the view.

于 2013-02-26T12:47:09.730 回答
-1

Also in php you can sanitize you data before inserting into database . check this code .

<?php 
$email = "clifton@example"; //Note the .com missing  
if(filter_var($email, FILTER_SANITIZE_EMAIL)){ 
    echo $email.'<br>'; 
    var_dump(filter_var($email, FILTER_SANITIZE_EMAIL)); 
}else{ 
    var_dump(filter_var($email, FILTER_SANITIZE_EMAIL));    
} 
?>

support link : php sanitize

于 2013-02-26T12:47:29.180 回答
-1 
<Paranoia>

1. No using of old mysql functions (told already)
2. intval() on zip-field
3. regexp on others

</Paranoia>
于 2013-02-26T12:55:01.017 回答
-2

只是摆脱// We preform a bit of filtering块。
其余的还算可以。

但是,您的查询几乎找不到任何东西。
是否打算找到包含所有输入值的单行?
我有一种感觉是你的意思OR,而不是AND你的标准

于 2013-02-26T12:43:09.710 回答