我的代码中有一个 sql 注入,我用 havji 检查了它。
所以我正在考虑一个修复,我将我的值的类型设置为整数或这样的字符串。这可以解决问题吗?就像不再注射一样???没什么好担心的 ?我的代码在下面,对不起我的英语不好!
function get_page_by_id($page_id) {
settype($page_id, "integer");
global $connection;
$query = "SELECT * ";
$query .= "FROM pages ";
$query .= "WHERE id=" . $page_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned, fetch_array will return false
if ($page = mysql_fetch_array($result_set)) {
return $page;
} else {
return NULL;
}
}
修复前的代码
function get_page_by_id($page_id) {
global $connection;
$query = "SELECT * ";
$query .= "FROM pages ";
$query .= "WHERE id=" . $page_id ." ";
$query .= "LIMIT 1";
$result_set = mysql_query($query, $connection);
confirm_query($result_set);
// REMEMBER:
// if no rows are returned, fetch_array will return false
if ($page = mysql_fetch_array($result_set)) {
return $page;
} else {
return NULL;
}
}