Wuri na yanzu: Chen Weiliang Blog » MySQL » Ta yaya MySQL ke hana allurar sql? Ka'idar allurar SQL da rigakafin

Ta yaya MySQL ke hana allurar sql? Ka'idar allurar SQL da rigakafin

An sabunta ta: 2017 ga Fabrairu, 11

Littafin Adireshi

1 MySQL da SQL allura
2 Hana allurar SQL
3 Allura a cikin Bayanan Bayani

MySQLYadda za a hana allurar sql? Ka'idar allurar SQL da rigakafin

MySQL da allurar SQL

Idan ka ɗauki bayanan da mai amfani ya shigar ta shafin yanar gizon kuma saka shi cikin aMySQL database, to ana iya samun matsalolin tsaro na allurar SQL.

Wannan babin zai gabatar muku da yadda ake hana allurar SQL da amfani da rubutun don tace haruffan allura a cikin SQL.

Abin da ake kira allurar SQL ita ce yaudarar uwar garken don aiwatar da munanan umarnin SQL ta hanyar shigar da umarnin SQL a cikin fom ɗin gidan yanar gizo don ƙaddamarwa ko shigar da layin tambaya na sunan yanki ko buƙatar shafi.

Kada mu taɓa amincewa da shigarwar mai amfani, dole ne mu ɗauka cewa bayanan shigar da mai amfani ba shi da aminci, kuma duk muna buƙatar tace bayanan shigar mai amfani.

A cikin misali mai zuwa, sunan mai amfani da aka shigar dole ne ya zama haɗe-haɗe na haruffa, lambobi, da maƙasudi, kuma dole ne sunan mai amfani ya kasance tsakanin haruffa 8 zuwa 20:

if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
   $result = mysqli_query($conn, "SELECT * FROM users 
                          WHERE username=$matches[0]");
}
 else 
{
   echo "username 输入异常";
}

Bari mu kalli yanayin SQL da ke faruwa lokacin da ba a tace wasu haruffa na musamman ba:

// 设定$name 中插入了我们不需要的SQL语句
$name = "Qadir'; DELETE FROM users;";
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

A cikin bayanin allurar da ke sama, ba mu tace canjin sunan $ ba, kuma bayanin SQL da ba mu buƙata an saka shi a cikin $name, wanda zai share duk bayanan da ke cikin tebur masu amfani.

mysqli_query() a cikin PHP ba a yarda ya aiwatar da maganganun SQL da yawa ba, amma a cikin SQLite da PostgreSQL, ana iya aiwatar da maganganun SQL da yawa a lokaci guda, don haka muna buƙatar tabbatar da bayanan waɗannan masu amfani sosai.

Don hana allurar SQL, muna buƙatar kula da waɗannan abubuwan:

1. Kar a taɓa amincewa da shigarwar mai amfani.Bincika shigarwar mai amfani, za ku iya amfani da maganganu na yau da kullun, ko iyakance tsawon lokaci; canza ƙididdiga guda ɗaya da ninka "-", da sauransu.
2. Kada ku taɓa yin amfani da taro mai ƙarfi sql, zaku iya amfani da sql mai daidaitawa ko amfani da hanyoyin da aka adana kai tsaye don neman bayanai da samun dama.
3. Kada a taɓa amfani da haɗin bayanai tare da gata na mai gudanarwa, yi amfani da hanyoyin haɗin bayanai daban-daban tare da iyakance ga kowane aikace-aikacen.
4. Kar a adana bayanan sirri kai tsaye, rufa-rufa ko hash fita kalmomin sirri da bayanai masu mahimmanci.
5. Banda bayanan aikace-aikacen yakamata ya ba da ƴan alamu sosai, kuma yana da kyau a yi amfani da bayanan kuskure na al'ada don kunsa bayanan kuskure na asali.
6. Hanyar ganowa na allurar sql gabaɗaya tana ɗaukar ƙarin taimako软件Ko dandamalin gidan yanar gizon don ganowa, software gabaɗaya tana amfani da kayan aikin gano allurar sql jsky, dandamalin gidan yanar gizon yana da kayan aikin gano dandamali na gidan yanar gizon Yisi. MDCSOFT SCAN et al.Yin amfani da MDCSOFT-IPS na iya kare kariya daga allurar SQL, hare-haren XSS, da sauransu.

Hana allurar SQL

A cikin harsunan rubutun kamar Perl da PHP zaku iya tserewa bayanan da mai amfani ya shigar don hana allurar SQL.

Ƙarin MySQL don PHP yana ba da aikin mysqli_real_escape_string() don guje wa haruffan shigarwa na musamman.

if (get_magic_quotes_gpc()) 
{
  $name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Allura a cikin Bayanan Bayani

Lokacin tambaya kamar, idan darajar da mai amfani ya shigar tana da "_" da "%", wannan zai faru: mai amfani da farko ya so yayi tambaya "abcd_", amma akwai "abcd_", "abcde", da "abcdf" a ciki. Sakamakon tambaya da sauransu; matsalar kuma tana faruwa ne lokacin da mai amfani ke son yin tambaya "30%" (bayanin kula: kashi talatin).

A cikin rubutun PHP za mu iya amfani da aikin addcslashes () don kula da yanayin da ke sama, kamar a cikin misali mai zuwa:

$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
 mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

Ayyukan addcslashes() yana ƙara ja da baya kafin ƙayyadadden hali.

Tsarin mahaɗa:

addcslashes(string,characters)

Matsayi	bayanin
kirtani	Da ake bukataYana ƙayyade kirtani don dubawa.
characters	Na zaɓi.Yana ƙayyadad da hali ko kewayon haruffan da addcslashes() ya shafa.

Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) shared "Ta yaya MySQL ke hana allurar sql? sql ka'idar allura da rigakafin", zai taimaka muku.

Barka da zuwa raba hanyar haɗin wannan labarin:https://www.chenweiliang.com/cwl-500.html

Barka da zuwa tashar Telegram na Chen Weiliang's blog don samun sabbin abubuwa!

Danna nan don shiga tashar Telegram yanzu

🔔 Kasance na farko don samun "ChatGPT Content Marketing AI Tool Guideing Guide" a cikin babban jagorar tashar! 🌟
📚 Wannan jagorar ya ƙunshi ƙima mai yawa, 🌟Wannan dama ce da ba kasafai ba, kar a rasa ta! ⏰⌛💨
Share da like idan kuna so!
Rarraba ku da abubuwan so sune ci gaba da ƙarfafa mu!

Wasan baya:Nazarin Harka na Sabuwar Ka'idar Traffic: Ta yaya ƙaramin aljana ya yi amfani da wasan kwaikwayo na Jay Chou don ƙara yawan magoya bayanta na Weibo da 45?

Next post: Yadda ake fitarwa fayilolin bayanai daga Linux MySQL database?umurnin sanarwa csv fitarwa

Ta yaya MySQL ke hana allurar sql? Ka'idar allurar SQL da rigakafin

MySQL da allurar SQL

Hana allurar SQL

Allura a cikin Bayanan Bayani

comments 取消 回复

comments 取消回复