如何在PHP中防止SQL注入-系统运维-优客志

本教程将帮助您在PHP中防止SQL注入。在本教程中，首先检查SQL注入过程的基本示例。用户如何使用SQL注入从您的网站窃取数据？本教程还包括使用PHP-MySQLi和PHP-PDO驱动程序阻止SQL注入的方法。

简单的SQL注入示例

例如，A有一个银行网站。您已经向银行客户提供了一个网络界面，以查看其帐号和余额。您的银行网站使用 http://example.com/get_account_details.php?account_id=102等网址从数据库中获取详细信息。例如 get_account_details.php有如下代码。

$accountId = $_GET['account_id']; $query = "SELECT accountNumber, balance FROM accounts WHERE accountId = $accountId";

1 2	$accountId = $_GET [ 'account_id' ] ; $query = "SELECT accountNumber, balance FROM accounts WHERE accountId = $accountId" ;

Customers accountId is passed through query string as account_id. Like above Url, if a user’s account id 102 and it passed in the query string. The Php script will create a query like below.

$query = "SELECT accountNumber, balance FROM accounts WHERE accountId = 102";

1	$query = "SELECT accountNumber, balance FROM accounts WHERE accountId = 102" ;

Details fetched for specified account. The accountNumber and balance details are fetched for accountId 102 and provided to customers as showing in above screenshot. Let’s, assume another scenario – An over smart customer has passed account_id as 0 OR 1=1 in query string. What will be happened now? The PHP script will create a query like below and executed on the database.

$query = "SELECT accountNumber, balance FROM accounts WHERE accountId = 0 OR 1=1";

1	$query = "SELECT accountNumber, balance FROM accounts WHERE accountId = 0 OR 1=1" ;

Details fetched for all accounts Look at the query created by script and result returned by the database. You can see that this query returned all accounts number and the available balance. This is called SQL Injection. This is the simple scenario, there can be a number of methods to do SQL injections. Below tutorial will help you to prevent SQL injection using PHP MySQLi driver and PHP PDO driver.

#1. Using PHP-MySQLi Driver

You can use PHP-MySQLi driver prepared statements to avoid these type of SQL injections. Use below PHP code which will prevent SQL injection.

$accountId = $_GET['account_id']; if ($stmt = $mysqli->prepare('SELECT accountNumber, balance FROM accounts WHERE accountId = ?')) { $stmt->bind_param("s", $accountId); $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // do something here } $stmt->close(); }

$accountId = $_GET [ 'account_id' ] ;

if ( $stmt = $mysqli -> prepare ( 'SELECT accountNumber, balance FROM accounts WHERE accountId = ?' ) ) {

$stmt -> bind_param ( "s" , $accountId ) ;

$stmt -> execute ( ) ;

$result = $stmt -> get_result ( ) ;

while ( $row = $result -> fetch_assoc ( ) ) {

// do something here

}

$stmt -> close ( ) ;

}

#2. Using PHP-PDO Driver

You can use PHP-PDO driver prepare statements to avoid these type of SQL injections. Use below PHP code which will resolve above SQL injections.

$accountId = $_GET['account_id']; if ($stmt = $pdo->prepare('SELECT accountNumber, balance FROM accounts WHERE accountId = :accountId')) { $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // do something here } $stmt->close(); }

$accountId = $_GET [ 'account_id' ] ;

if ( $stmt = $pdo -> prepare ( 'SELECT accountNumber, balance FROM accounts WHERE accountId = :accountId' ) ) {

$stmt -> execute ( array ( 'name' = > $name ) ) ;

foreach ( $stmt as $row ) {

// do something here

}

$stmt -> close ( ) ;

}

Share on Facebook Share

Share on Twitter Tweet

Share on Google Plus Share

Share on Pinterest Share

Share on Linkedin Share

Share on Digg Share

如何在PHP中防止SQL注入

简单的SQL注入示例

#1. Using PHP-MySQLi Driver

#2. Using PHP-PDO Driver

相关推荐

推荐云主机，建站更安全

热度排行

热门标签

回顶部

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏