MySQLYuav tiv thaiv sql txhaj li cas? SQL txhaj tshuaj txoj cai thiab kev tiv thaiv
MySQL thiab SQL txhaj
Yog tias koj muab cov ntaub ntawv nkag los ntawm tus neeg siv los ntawm nplooj ntawv web thiab ntxig rau hauv aMySQL database, ces tej zaum yuav muaj SQL txhaj tshuaj tiv thaiv teeb meem.
Tshooj no yuav qhia koj txog yuav ua li cas tiv thaiv SQL txhaj tshuaj thiab siv cov ntawv sau los lim cov cim hauv SQL.
Lub npe hu ua SQL txhaj tshuaj yog los dag cov neeg rau zaub mov kom ua phem SQL cov lus txib los ntawm kev ntxig SQL cov lus txib rau hauv lub vev xaib kom xa lossis nkag mus rau cov lus nug ntawm lub npe sau lossis nplooj ntawv thov.
Peb yuav tsum tsis txhob tso siab rau cov neeg siv tswv yim, peb yuav tsum xav tias cov neeg siv cov ntaub ntawv tawm tswv yim tsis muaj kev nyab xeeb, thiab peb txhua tus yuav tsum tau lim cov neeg siv cov ntaub ntawv nkag.
Hauv qhov piv txwv hauv qab no, tus neeg siv lub npe nkag yuav tsum yog sib xyaw ntawm cov tsiaj ntawv, cov lej, thiab cov ntawv hauv qab, thiab tus neeg siv lub npe yuav tsum nyob nruab nrab ntawm 8 thiab 20 tus cim ntev:
if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)) { $result = mysqli_query($conn, "SELECT * FROM users WHERE username=$matches[0]"); } else { echo "username 输入异常"; }
Cia peb saib ntawm qhov xwm txheej SQL uas tshwm sim thaum cov cim tshwj xeeb tsis lim:
// 设定$name 中插入了我们不需要的SQL语句 $name = "Qadir'; DELETE FROM users;"; mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Hauv cov lus hais saum toj no, peb tsis tau lim qhov sib txawv ntawm $name, SQL nqe lus uas peb tsis xav tau yog muab tso rau hauv $name, uas yuav tshem tawm tag nrho cov ntaub ntawv hauv cov neeg siv cov lus.
mysqli_query() hauv PHP tsis raug tso cai ua ntau yam SQL nqe lus, tab sis SQLite thiab PostgreSQL tuaj yeem ua ntau yam SQL nqe lus tib lub sijhawm, yog li peb yuav tsum nruj me ntsis xyuas cov ntaub ntawv ntawm cov neeg siv no.
Txhawm rau tiv thaiv SQL txhaj tshuaj, peb yuav tsum tau them sai sai rau cov ntsiab lus hauv qab no:
- 1. Tsis txhob ntseeg tus neeg siv tswv yim.Txheeb xyuas tus neeg siv cov tswv yim, koj tuaj yeem siv cov kab lus tsis tu ncua, lossis txwv qhov ntev; hloov cov lus ib leeg thiab ob "-", thiab lwm yam.
- 2. Tsis txhob siv dynamic sib dhos sql, koj tuaj yeem siv parameterized sql lossis ncaj qha siv cov txheej txheem khaws cia rau cov ntaub ntawv nug thiab nkag mus.
- 3. Tsis txhob siv cov ntaub ntawv sib txuas nrog cov cai tswj hwm, siv cais cov ntaub ntawv sib txuas nrog cov cai txwv rau txhua daim ntawv thov.
- 4. Tsis txhob khaws cov ntaub ntawv tsis pub lwm tus paub ncaj qha, encrypt lossis tshem tawm cov passwords thiab cov ntaub ntawv rhiab heev.
- 5. Cov ntaub ntawv tshwj xeeb ntawm daim ntawv thov yuav tsum muab ob peb yam lus qhia raws li qhov ua tau, thiab nws yog qhov zoo tshaj plaws los siv cov ntaub ntawv yuam kev los qhwv cov ntaub ntawv yuam kev qub.
- 6. Txoj kev tshawb pom ntawm sql txhaj tshuaj feem ntau txais kev pabcuamSoftwareLos yog lub vev xaib platform txhawm rau txheeb xyuas, software feem ntau siv cov cuab yeej sql txhaj tshuaj tiv thaiv jsky, lub vev xaib platform muaj Yisi lub vev xaib kev ruaj ntseg platform nrhiav cov cuab yeej. MDCSOFT SCAN et al.Siv MDCSOFT-IPS tuaj yeem tiv thaiv SQL txhaj tshuaj, XSS tawm tsam, thiab lwm yam.
Tiv thaiv SQL Txhaj
Hauv scripting lus xws li Perl thiab PHP koj tuaj yeem khiav cov ntaub ntawv nkag los ntawm tus neeg siv los tiv thaiv SQL txhaj.
Lub MySQL txuas ntxiv rau PHP muab cov haujlwm mysqli_real_escape_string() kom khiav tawm cov cim tshwj xeeb.
if (get_magic_quotes_gpc()) { $name = stripslashes($name); } $name = mysqli_real_escape_string($conn, $name); mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Txhaj tshuaj zoo li nqe lus
Thaum querying zoo li, yog tias tus nqi nkag los ntawm tus neeg siv muaj "_" thiab "%", qhov no yuav tshwm sim: tus neeg siv thawj zaug xav nug "abcd_", tab sis muaj "abcd_", "abcde", thiab "abcdf" hauv. cov lus nug tshwm sim Etc.; qhov teeb meem kuj tshwm sim thaum tus neeg siv xav nug "30%" (ceeb toom: peb caug feem pua).
Hauv PHP tsab ntawv peb tuaj yeem siv addcslashes() ua haujlwm los daws qhov teeb meem saum toj no, xws li hauv qhov piv txwv hauv qab no:
$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_"); // $sub == \%something\_ mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
Lub addcslashes() muaj nuj nqi ntxiv ib qho backslash ua ntej tus cim tshwj xeeb.
Syntax format:
addcslashes(string,characters)
| Tsis | 描述 |
|---|---|
| txoj hlua | Yuav tsum tau.Qhia cov hlua los xyuas. |
| cim | Xaiv tau.Qhia meej cov cim lossis ntau yam ntawm cov cim cuam tshuam los ntawm addcslashes(). |
Cia siab Chen Weiliang Blog ( https://www.chenweiliang.com/ ) qhia "Yuav ua li cas MySQL tiv thaiv sql txhaj? sql txoj cai txhaj tshuaj thiab tiv thaiv", nws yuav pab tau koj.
Zoo siab txais tos los qhia qhov txuas ntawm kab lus no:https://www.chenweiliang.com/cwl-500.html
Zoo siab txais tos rau Telegram channel ntawm Chen Weiliang blog kom tau txais qhov hloov tshiab tshiab!
📚 Daim ntawv qhia no muaj nuj nqis loj, 🌟Qhov no yog lub sijhawm tsis tshua muaj, tsis txhob nco nws! ⏰⌛💨
Share thiab like yog tias koj nyiam!
Koj qhov kev sib koom thiab kev nyiam yog peb qhov kev txhawb nqa tas mus li!