0

下面我有一个运行良好的 Php 注册表单,但有点担心,因为该表单对于 Sql 注入攻击是开放的,我知道它,但编码知识非常有限来防止它,但仍在学习。

已设法添加验证码以防止机器人自动填写表格并提交,但不幸的是不能说能够验证名字和姓氏,我只是想知道如何保护自己免受这种攻击。

相关代码如下所示,谢谢!

1)检查.php

<?php
    session_start();
    $captcha = $_POST['captcha'];
    $captcha_answer = $_SESSION['captcha_answer'];

    if($captcha != $captcha_answer) {
        echo 'Captcha is incorrect!';
    }
    else {
        echo 'Captcha is correct, congratulations! :)';
    }
?>




<?php



    if(isset($_POST['registration']) && $captcha == $captcha_answer)
    {
        require "connection.php";



        $FirstName = strip_tags($_POST['FirstName']);

        $LastName = strip_tags($_POST['LastName']);

        $Msisdn = $_POST['Msisdn'];

        $month = $_POST['month'];

        $day = $_POST['day'];

        $year = $_POST['year'];

        $date = $year . "-" . $month . "-" . $day;

        $dob = date('y-m-d', strtotime($date));

        $Gender = $_POST['Gender'];

        $Faith = $_POST['Faith'];

        $City = $_POST['City'];

        $MarritalStatus = $_POST['MarritalStatus'];

        $Profession =$_POST['Profession'];

        $Country = $_POST['Country'];





    $query="insert into users set FirstName='".$FirstName."',LastName='".$LastName
            ."',Msisdn='".$Msisdn."',dob='".$dob."',Gender='".$Gender."',Faith='".$Faith."',City='".$City."',MarritalStatus='".$MarritalStatus."',Profession='".$Profession."',Country='".$Country."'";


    mysql_query($query)or  die("".mysql_error());   



        echo "Successful Registration!";



            }
?>

2) 注册.php

</head>

<body>

    </tr>

<div id="div-regForm">

<div class="form-title">Sign Up</div>
<div class="form-sub-title">It's free and anyone can join</div>

    <form method="post" action="check.php" enctype="multipart/form-data">

    <table width="900" align="center" cellpadding = "15">



        <tr>
            <td>FirstName:</td>
            <td><input type="text" name="FirstName" maxlength="10" required="" ></td>

        </tr>
        <tr>
            <td>LastName:</td>
            <td><input type="text" name="LastName" maxlength="10" required=""></td>
4

2 回答 2

0

1) 你应该使用 mysqli object:prepared statements 来防止 SQL 注入。您应该始终在客户端和服务器端进行检查

简单示例,添加 stmt->bind_result 和 stmt->fetch 以确保完整性

$mysqli = new mysqli("localhost","root","","dbname");
$stmt = $mysqli->prepare("SELECT * FROM account WHERE username=? and shapass=? LIMIT 1")
$stmt->bind_param("ss",$username,$encrypted_password);
$stmt->execute();
$stmt->bind_result($result1,result2) // assuming table has 2 columns

while( $stmt->fetch() )
{
      //do something
      echo $result1;
      echo $result2;
}
于 2013-09-11T14:20:55.437 回答
0

如果您想保护自己免受 SQL 注入,请不要使用 mysql_* 函数。它们已被弃用,不支持准备好的语句。

请改用 PDO,并阅读.

于 2013-09-11T14:17:22.467 回答