Malo apano: Chen Weiliang Blog » MySQL » Kodi MySQL imaletsa bwanji jakisoni wa sql? SQL jakisoni mfundo ndi kupewa

Kodi MySQL imaletsa bwanji jakisoni wa sql? SQL jakisoni mfundo ndi kupewa

Kusinthidwa: 2017 October 11

Kalozera wa Nkhani

1 MySQL ndi SQL jakisoni
2 Pewani SQL Injection
3 Jekeseni mu Like Statements

MySQLKodi mungapewe bwanji jekeseni wa sql? Mfundo ya jakisoni wa SQL ndi kupewa

MySQL ndi SQL jakisoni

Ngati mutenga zomwe zalowetsedwa ndi wogwiritsa ntchito patsamba ndikuyika mu aMySQL database, ndiye pakhoza kukhala zovuta zachitetezo cha jakisoni wa SQL.

Mutuwu ufotokoza momwe mungapewere jekeseni wa SQL ndikusefa zilembo zojambulidwa mu SQL kudzera m'malemba.

Zomwe zimatchedwa jakisoni wa SQL ndikunyenga seva kuti ipereke malamulo oyipa a SQL poyika malamulo a SQL mu fomu yapaintaneti kuti ipereke kapena kuyika mndandanda wamafunso a dzina la domain kapena pempho latsamba.

Sitiyenera kudalira zomwe wogwiritsa ntchito amalowetsa, tiyenera kuganiza kuti zomwe amalowetsa ndizowopsa, ndipo tonsefe tiyenera kusefa zomwe wagwiritsa ntchito.

Muchitsanzo chotsatirachi, dzina lolowera liyenera kukhala kuphatikiza zilembo, manambala, ndi ma underscores, ndipo dzina lolowera liyenera kukhala pakati pa zilembo 8 ndi 20 kutalika:

if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
   $result = mysqli_query($conn, "SELECT * FROM users 
                          WHERE username=$matches[0]");
}
 else 
{
   echo "username 输入异常";
}

Tiyeni tiwone zochitika za SQL zomwe zimachitika ngati palibe zilembo zapadera zomwe zimasefedwa:

// 设定$name 中插入了我们不需要的SQL语句
$name = "Qadir'; DELETE FROM users;";
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

M'mawu omwe ali pamwambapa, sitinasefe kusinthika kwa $name. Mawu a SQL omwe sitikufuna ayikidwa mu $name, zomwe zichotsa zonse zomwe zili patebulo la ogwiritsa ntchito.

mysqli_query() mu PHP saloledwa kuchita mawu angapo a SQL, koma SQLite ndi PostgreSQL zimatha kuchita mawu angapo a SQL nthawi imodzi, chifukwa chake tiyenera kutsimikizira zomwe ogwiritsa ntchitowa ali nazo.

Kuti tipewe jekeseni wa SQL, tiyenera kulabadira mfundo zotsatirazi:

1. Osakhulupirira zolowetsamo.Onani zomwe wogwiritsa ntchito alowetsa, mutha kugwiritsa ntchito mawu okhazikika, kapena kuchepetsa kutalika kwake; sinthani mawu amodzi ndikuwirikiza "-", ndi zina.
2. Osagwiritsa ntchito dynamic assembly sql, mutha kugwiritsa ntchito parameterized sql kapena kugwiritsa ntchito mwachindunji njira zosungidwa kuti mufufuze ndi kupeza deta.
3. Osagwiritsa ntchito maulalo a database ndi mwayi wa oyang'anira, gwiritsani ntchito malumikizidwe ankhokwe osiyana okhala ndi mwayi wochepera pa pulogalamu iliyonse.
4. Osasunga zinsinsi mwachindunji, kubisa kapena kutulutsa mawu achinsinsi ndi zidziwitso zachinsinsi.
5. Zambiri za pulogalamuyo ziyenera kupereka malingaliro ochepa momwe zingathere, ndipo ndi bwino kugwiritsa ntchito zolakwika zomwe mwazolowera kukulunga zolakwika zoyambirira.
6. Njira yodziwira jekeseni ya sql nthawi zambiri imatenga chithandizo软件Kapena tsamba lawebusayiti kuti lizindikire, pulogalamuyo nthawi zambiri imagwiritsa ntchito chida chodziwira jakisoni cha sql jsky, ndipo tsamba lawebusayiti lili ndi chida chodziwira pulatifomu ya Yisi. MDCSOFT SCAN et al.Kugwiritsa ntchito MDCSOFT-IPS kumatha kuteteza jekeseni wa SQL, kuukira kwa XSS, ndi zina zambiri.

Pewani SQL Injection

M'zilankhulo zolembera monga Perl ndi PHP mutha kuthawa zomwe zalembedwa ndi wogwiritsa ntchito kuti mupewe jakisoni wa SQL.

Kukulitsa kwa MySQL kwa PHP kumapereka ntchito ya mysqli_real_escape_string() kuthawa zilembo zapadera.

if (get_magic_quotes_gpc()) 
{
  $name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Jekeseni mu Like Statements

Mukafunsa ngati, ngati wogwiritsa ntchitoyo alowetsa mfundo ndi "_" ndi "%", izi zidzachitika: wosuta poyamba ankafuna kufunsa "abcd_", koma zotsatira zake zikuphatikizapo "abcd_", "abcde", ndi "abcdf". " Ndi zina zotero; vuto limapezekanso pamene wogwiritsa ntchito akufuna kufunsa "30%" (chidziwitso: makumi atatu pa zana).

Mu PHP script titha kugwiritsa ntchito addcslash () ntchito kuti tithane ndi zomwe zili pamwambapa, monga chitsanzo chotsatirachi:

$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
 mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

Ntchito ya addcslash () imawonjezera kubweza kumbuyo kwa munthu yemwe watchulidwa.

Mtundu wa Syntax:

addcslashes(string,characters)

Parameti	kufotokoza
chingwe	Chofunikira.Imatchula chingwe choyenera kuwunika.
otchulidwa	Zosankha.Imatchula mawonekedwe kapena kuchuluka kwa zilembo zomwe zimakhudzidwa ndi addcslash ().

Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) adagawana "Kodi MySQL imaletsa bwanji jakisoni wa sql? sql jekeseni mfundo ndi kupewa", zidzakuthandizani.

Takulandirani kugawana ulalo wa nkhaniyi:https://www.chenweiliang.com/cwl-500.html

Takulandilani panjira ya Telegraph yabulogu ya Chen Weiliang kuti mupeze zosintha zaposachedwa!

Dinani apa kuti mulowe nawo panjira ya Telegraph tsopano

🔔 Khalani oyamba kupeza "ChatGPT Content Marketing AI Tool Usage Guide" m'ndandanda wapamwamba kwambiri! 🌟
📚 Bukuli lili ndi phindu lalikulu, 🌟Uwu ndi mwayi wosowa, musaphonye! ⏰⌛💨
Share ndi like ngati mukufuna!
Kugawana kwanu ndi zomwe mumakonda ndizomwe zimatilimbikitsa nthawi zonse!

Mmbuyo wapitawo:Case Study of New Traffic Theory: Kodi nthano yaying'onoyo idatengera bwanji mwayi pa konsati ya Jay Chou kuti iwonjezere mafani ake a Weibo ndi 45?

Pambuyo pake: Momwe mungatumizire mafayilo kuchokera ku Linux MySQL database?export csv statement command

Kodi MySQL imaletsa bwanji jakisoni wa sql? SQL jakisoni mfundo ndi kupewa

MySQL ndi SQL jakisoni

Pewani SQL Injection

Jekeseni mu Like Statements

发表 评论 取消 回复

发表评论取消回复