php - mysqli 中的安全性

Question

所以我尝试开始使用 mysqli 来提高安全性，这就是我目前所拥有的：一个 conectar.php 文件

<?php
$DBServer = 'X'; // ip o lo que sea
$DBUser   = 'X';
$DBPass   = 'X';
$DBName   = 'X';
 $conn = new mysqli($DBServer, $DBUser, $DBPass, $DBName);

 if ($conn->connect_error) {
 trigger_error('Database connection failed: '  . $conn->connect_error, E_USER_ERROR);
  }
   ?>

然后是一个包含以下代码的php文件：

include("admin/conectar.php");
$categoria = $_GET['categoria'];
if($categoria){
 $query_p = $conn->query("SELECT * FROM `productos` WHERE `categoria` = '$categoria'     ORDER BY nombre ASC");
while($result_p = $query_p->fetch_object()){
$nombre = $result_p->nombre;
$referencia = $result_p->referencia;;
$descripcion = $result_p->descripcion; 
$imagen = $result_p->imagen;

我应该怎么做才能防止黑客攻击或 SQL 注入？我应该设置一个数组以便只接受 $categoria 的某些值吗？谢谢！

score 0 · Accepted Answer

Never use such a GET variable as a variable that is used in a SQL query, because someone could change the value of the GET variable into e.g. "DROP TABLE ...". To improve the security of your code:

Think about prepared statements
Use mysql_real_escape_string or mysqli::real_escape_string

php - mysqli 中的安全性

1 回答 1

Related

Reference