我正在使用 MySQLi 来防止对我的网站的任何进一步攻击。我使用的是 PHP 5.6.16,MySQL 版本:5.7.9,并使用 WAMP
在搜索具有一些奇怪字符的用户时遇到以下错误,例如添加 ')
搜索框中的字符。
MySQL error # 1064 and SQLi vulnerability
如何清理文本框输入并防止搜索任何奇怪或无法识别的字符?
代码:
<?php
# Essential files, please don't erase it!
require_once("../functions.php");
require_once("../db-const.php");
session_start();
?>
<html>
<head>
<script src="script.js" type="text/javascript"></script><!-- put it on user area pages -->
</head>
<body>
<h1> View Profile </h1>
<hr />
<?php
if (logged_in() == false) {
echo "<script> window.alert(\"Please login first!\"); </script>";
redirect_to("login.php");
} else {
if (isset($_GET['username']) && $_GET['username'] != "") {
$username = $_GET['username'];
} else {
$username = $_SESSION['username'];
}
## connect mysql server
$mysqli = new mysqli(localhost, root, "", loginsecure);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
## query database
# fetch data from mysql database
$sql = "SELECT * FROM users WHERE username ='".$username."' LIMIT 1";
if ($result = $mysqli->query($sql)) {
$user = $result->fetch_array();
} else {
echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
exit();
}
if ($result->num_rows == 1) {
# calculating online status
if (time() - $user['status'] <= (5*200)) { // 300 seconds = 5 minutes timeout
$status = "Yes";
} else {
$status = "No";
}
# echo the user profile data
echo "<title> View Profile of: {$user['username']} </title>";
echo " Account Searcher: <br>
<form action=\"?username=\" method=\"get\">
Unique ID: <input type=\"text\" name=\"username\" placeholder=\"Searching for user: {$_GET['username']}\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "Unique ID: {$user['id']}\n<br>Username: {$user['username']}\n<br>First Name: {$user['first_name']}\n<br>Last Name: {$user['last_name']}\n<br>Email: {$user['email']}\n<br>Online? $status\n<br>";
} else { // If user doesn't exists - trigger this event
echo " Account Searcher: <br>
<form action=\"\" method=\"get\">
Username: <input type=\"text\" name=\"username\" placeholder=\"User not found!\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "<title> User doesn't exists! | Prospekt </title> <p><b>Error:</b> User doesn't exist! Please register first!</p>";
}
}
// showing the login & register or logout link
if (logged_in() == true) {
echo '<a href="../logout.php">Log Out</a> | <a href="../home.php"> Go to Home </a>';
} else {
echo '<a href="../login.php">Login</a> | <a href="register.php">Register</a>';
}
?>
<hr />
</body>
</html>
最佳答案
在验证值之前,您将值直接发送到数据库查询中,这可能会导致危险。为了防止 SQL 注入(inject),有内置的 php 函数,例如 mysqli_real_escape_string()。也就是说,一个完整的更好的解决方案是使用 Php 准备好的语句和 PDO..
在您的代码中:当您从 get 或 post 变量中获取用户的一些数据时,请执行以下操作
<?php
$uname=$_GET['username'];
//now validate
$username=mysqli_real_escape_string($conn,htmlspecialchars($uname));
//Now username is somewhat protected.so now use it for sql queries.
?>
关于PHP |搜索攻击的用户和漏洞,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38811127/