不要在SQL查询中直接使用$_POST变量。
可能重复:
停止PHP 中SQL注入的最佳方法
我刚刚得到了这个PHP脚本来将我的表单字段发布到SQL表中,它运行得很好。由于我计划与许多用户一起使用这个网站,我不想让SQL注入破坏一切。我是PHP的一个超级迷,我希望这里有人能帮助我验证SQL注入我的代码。
<?php
//Check for mysql connection
if (!mysql_connect("mysql4.000webhost.com","a3516066_form","lasvegas1"))
die('Could not connect: ' . mysql_error());
//Escape SQL characters to protect against SQL injection
$username = mysql_real_escape_string($_POST['username']);
$hostname = mysql_real_escape_string($_POST['hostname']);
$ip = mysql_real_escape_string($_POST['ip']);
$email = mysql_real_escape_string($_POST['email']);
mysql_select_db("a3516066_form");
//Query to check for username match
$userCheck = "SELECT * FROM `Accounts` WHERE username = '$username'";
if(mysql_num_rows(mysql_query($userCheck)) != 0)
die("Sorry, username is already in use. Please go back and try again.");
//If the username isn't found, insert the values
$sql = "INSERT INTO Accounts VALUES ('$username','$hostname','$ip','$email')";
if (mysql_query($sql)) {
//Successful query
header ("location: /done.html");
exit();
} else
//Failed query
die("Something is wrong, we could not complete your request.");
?>
相反,您可以编写这样的函数,并在连接到数据库后使用来清除任何恶意输入。
function secure() {
$_GET = array_map('trim', $_GET);
$_POST = array_map('trim', $_POST);
$_COOKIE = array_map('trim', $_COOKIE);
$_REQUEST = array_map('trim', $_REQUEST);
if(get_magic_quotes_gpc()) {
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
$_REQUEST = array_map('stripslashes', $_REQUEST);
}
$_GET = array_map('mysql_real_escape_string', $_GET);
$_POST = array_map('mysql_real_escape_string', $_POST);
$_COOKIE = array_map('mysql_real_escape_string', $_COOKIE);
$_REQUEST = array_map('mysql_real_escape_string', $_REQUEST);
}