请问这个PHP下防范MySQL注入攻击的方法管用吗？-PHP Tutorial-php.cn

Table of Contents

回复内容：

Home

Backend Development

PHP Tutorial

请问这个PHP下防范MySQL注入攻击的方法管用吗？

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 06, 2016 pm 04:42 PM

function input replace

function strinput($input)
{
$input=strval($input);
$replace=array('union','load','and','or','select','update','insert','delete','create','char','ascII','ord','conv','=','--','#','*','%','_','\\','\'',"\"");
$input=str_ireplace($replace,"0",$input);
return $input;
}

定义一个这样的过滤函数，对所有GPC来的字符串数据都先过一遍。这样可以完全防范MySQL注入攻击吗？

回复内容：

这类的过滤只能给注入者增加一些麻烦，远远做不到完全防范。
1、注入者可以用sElEcT来代替select
2、注入者可以用selselectect来让你过滤一遍，尝试获得select
3、注入者可以用url码来替代所有输入
4、注入者可以。。。用很多种方法，试出你的过滤函数是什么样的
你和注入者的技能可以在遭受泄露的拉锯战中不断获得提升。
直到你使用了以下方法的其中之一，才开始踏上了安全的征程：
1、白名单。严格定义只能输入哪些字符来查询，其他一律不行。
2、参数化查询。先将SQL语言编译，再代入参数。这时候就算他提交了select * from password where table=admin也只会去查询这一长串字符而不会执行SQL语句了。php下的示例如李世光所说。这个函数做到完全防范MySQL注入攻击还是比较难的，攻与防本来就是动态的，要是实现一劳永逸的防守还是有难度的。

1、针对一些安全防御，可能目前没法绕过，但是随着对攻击技术的研究可能就会出现绕过方法，像dedecms、dz等的安全防御经常被bypass。
2、根据你业务的不同，实现业务的代码可能就提供了绕过方法。例如一个简单的搜索业务，可能在后面的代码会调用urldecode解码函数：
.....
$q = strinput($_GET['query']);
$q = urldecode($q);
$sql = "select * from table where key='".$q."'";
.....
你在urldecode前面做的所有过滤都是徒劳的

要做到尽量减少安全漏洞不只是sql注入，需要在恰当的地方做正确的事情。这可能要了解一些安全知识，像《白帽子讲web安全》，《web前端黑客》都是web安全不错的书籍。

php安全的在线文档（e文）：Survive The Deep End: PHP Security 关于mysql防护其实很简单。
1.使用PDO::prepare PDO::bindParam来过滤输入参数
2.将HTML转成实体 htmlspecialchars 用PHP的PDO扩展去使用数据库，该扩展封装的类和方法已经考虑了防注入。用PHP的安全函数在query的时候把变量转义一下就可以了。建议使用参数化查询或白名单。
黑名单几乎在任何时候都是不可取的。请使用pdo 不要自作聪明地过滤，总会有遗漏的地方的，你过滤不完的。
请用pdo + 参数绑定，一劳永逸，一了百了。你要注意到，这样子很有可能过滤用户的合法输入。
过滤sql注入的方法常见的有如下两种：
1 mysql_real_escape_string
2 pdo的prepare+bind

另，网站安全性不止是sql注入一方面，还要考虑到csrf和xss等。字符串过滤:
1>mysql_real_escape_string
2>PDO::prepare

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

Roblox: Grow A Garden - Complete Mutation Guide

3 weeks ago By DDD

Roblox: Bubble Gum Simulator Infinity - How To Get And Use Royal Keys

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

How to fix KB5055612 fails to install in Windows 10?

3 weeks ago By DDD

Nordhold: Fusion System, Explained

3 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Blue Prince: How To Get To The Basement

1 months ago By DDD

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Java Tutorial

1664

CakePHP Tutorial

1423

Laravel Tutorial

1318

PHP Tutorial

1269

C# Tutorial

1248

Related knowledge

What does function mean? Aug 04, 2023 am 10:33 AM

Function means function. It is a reusable code block with specific functions. It is one of the basic components of a program. It can accept input parameters, perform specific operations, and return results. Its purpose is to encapsulate a reusable block of code. code to improve code reusability and maintainability.

How to implement laravel input hidden field Dec 12, 2022 am 10:07 AM

How to implement the laravel input hidden field: 1. Find and open the Blade template file; 2. Use the method_field method in the Blade template to create a hidden field. The creation syntax is "{{ method_field('DELETE') }}".

How to encapsulate input components and unified form data in vue3 May 12, 2023 pm 03:58 PM

Preparation Use vuecreateexample to create a project. The parameters are roughly as follows: use native input. Native input is mainly value and change. The data needs to be synchronized when changing. App.tsx is as follows: import{ref}from'vue';exportdefault{setup(){//username is the data constusername=ref('Zhang San');//When the input box changes, synchronize the data constonInput=;return( )=>({

How to use the REPLACE function to replace a specified part of a string in MySQL Jul 25, 2023 pm 01:18 PM

MySQL is a commonly used relational database management system that provides a variety of functions to process and operate data. Among them, the REPLACE function is used to replace the specified part of the string. In this article, we will introduce how to use the REPLACE function for string replacement in MySQL and demonstrate its usage through code examples. First, let’s take a look at the syntax of the REPLACE function: REPLACE(str,search_str,replace_str).

What to do if there is no cursor when clicking on the input box Nov 24, 2023 am 09:44 AM

Solutions for clicking the input box without a cursor: 1. Confirm the focus of the input box; 2. Clear the browser cache; 3. Update the browser; 4. Use JavaScript; 5. Check the hardware device; 6. Check the input box properties; 7. Debug JavaScript code; 8. Check other elements of the page; 9. Consider browser compatibility.

What are the string search and replace techniques in Python? Oct 20, 2023 am 11:42 AM

What are the string search and replace techniques in Python? (Specific code example) In Python, strings are a common data type, and we often encounter string search and replace operations in daily programming. This article will introduce some common string search and replacement techniques, accompanied by specific code examples. To find a specific substring in a string, you can use the find() method or index() method of the string. The find() method returns the index of the first occurrence of the substring in the string.

What is the purpose of the 'enumerate()' function in Python? Sep 01, 2023 am 11:29 AM

In this article, we will learn about enumerate() function and the purpose of “enumerate()” function in Python. What is the enumerate() function? Python's enumerate() function accepts a data collection as a parameter and returns an enumeration object. Enumeration objects are returned as key-value pairs. The key is the index corresponding to each item, and the value is the items. Syntax enumerate(iterable,start) Parameters iterable - The passed in data collection can be returned as an enumeration object, called iterablestart - As the name suggests, the starting index of the enumeration object is defined by start. if we ignore

Detailed explanation of the role and function of the MySQL.proc table Mar 16, 2024 am 09:03 AM

Detailed explanation of the role and function of the MySQL.proc table. MySQL is a popular relational database management system. When developers use MySQL, they often involve the creation and management of stored procedures (StoredProcedure). The MySQL.proc table is a very important system table. It stores information related to all stored procedures in the database, including the name, definition, parameters, etc. of the stored procedures. In this article, we will explain in detail the role and functionality of the MySQL.proc table

See all articles