Tusitusiga Tusitusiga
MySQLE faʻafefea ona puipuia le tui sql? SQL tui mataupu faavae ma le puipuiga
MySQL ma tui SQL
Afai e te ave faʻamatalaga na tuʻuina atu e le tagata faʻaoga e ala i se itulau web ma faʻaofi i totonu o seMySQL database, ona i ai lea o faʻafitauli puipuia ole tui ole SQL.
O lenei mataupu o le a faʻaalia ai pe faʻafefea ona puipuia le tui SQL ma faʻamamaina mataʻitusi o loʻo tui ile SQL e ala i tusitusiga.
O le mea e taʻua o le tui SQL o le faʻasesēina lea o le 'auʻaunaga e faʻataunuʻu tulafono SQL leaga e ala i le faʻaofiina o tulafono SQL i totonu o le upega tafaʻilagi e tuʻuina atu pe faʻapipiʻi le manoa fesili o le igoa ole igoa poʻo le itulau talosaga.
E le tatau ona tatou fa'atuatuaina fa'amatalaga a tagata fa'aoga, e tatau ona tatou manatu e le saogalemu fa'amatalaga fa'aoga a tagata, ma e mana'omia uma ona tatou fa'amama fa'amatalaga fa'aoga o tagata.
I le faʻataʻitaʻiga o loʻo mulimuli mai, o le igoa ole igoa ole igoa e tatau ona tuʻufaʻatasia o mataitusi, numera, ma vase, ma ole igoa ole igoa e tatau ona i le va o le 8 ma le 20 mataitusi umi:
if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)) { $result = mysqli_query($conn, "SELECT * FROM users WHERE username=$matches[0]"); } else { echo "username 输入异常"; }
Sei o tatou tilotilo i le tulaga SQL e tupu pe a leai ni faʻailoga faʻapitoa e faʻamama:
// 设定$name 中插入了我们不需要的SQL语句 $name = "Qadir'; DELETE FROM users;"; mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
I le faʻamatalaga o tui o loʻo i luga, matou te leʻi faʻamamaina le fesuiaiga o le igoa $. O le faʻamatalaga SQL matou te le manaʻomia o loʻo tuʻuina i totonu o le $ igoa, lea o le a tape uma ai faʻamatalaga i le laulau faʻaoga.
mysqli_query() i le PHP e le faʻatagaina e faʻatino le tele o faʻamatalaga SQL, ae SQLite ma PostgreSQL e mafai ona faʻatinoina le tele o faʻamatalaga SQL i le taimi e tasi, o lea e manaʻomia ai ona faʻamaonia faʻamaumauga a nei tagata faʻaoga.
Ina ia puipuia le tui SQL, e tatau ona tatou gauai atu i vaega nei:
- 1. Aua ne'i fa'atuatuaina fa'amatalaga a tagata fa'aoga.Siaki le faʻaoga a le tagata faʻaoga, e mafai ona e faʻaogaina faʻamatalaga masani, pe faʻatapulaʻa le umi; liliu mai upusii tasi ma faalua "-", ma isi.
- 2. Aua ne'i fa'aogaina le dynamic assembly sql, e mafai ona e fa'aogaina le sql fa'amautu po'o le fa'aogaina sa'o o auala teu mo su'esu'ega fa'amatalaga ma avanoa.
- 3. Aua ne'i fa'aogaina feso'ota'iga fa'amaumauga ma fa'amanuiaga fa'atonu, fa'aaoga so'oga tu'ufa'atasi tu'ufa'atasi ma avanoa fa'atapula'aina mo talosaga ta'itasi.
- 4. Aua ne'i teuina fa'amatalaga agatapuia sa'o, fa'ailoga po'o fa'asolo i fafo fa'amatalaga ma'ale'ale.
- 5. O faʻamatalaga faʻapitoa o le talosaga e tatau ona tuʻuina atu ni nai faʻamatalaga pe a mafai, ma e sili le faʻaogaina o faʻamatalaga sese masani e afifi ai faʻamatalaga sese muamua.
- 6. Ole auala e iloa ai ole tui ole sql e masani ona faʻaaogaina fesoasoaniPolokalamePo'o le 'upega tafaʻilagi faʻapipiʻi e iloa ai, e masani ona faʻaogaina e le polokalama le sql injection detection tool jsky, ma o le upega tafaʻilagi o loʻo i ai le Yisi website security platform detection tool. MDCOFT SCAN et al.Faʻaaogaina MDCOFT-IPS e mafai ona puipuia lelei mai le tui SQL, osofaʻiga XSS, ma isi.
Taofi SQL tui
I gagana tusitusi e pei o Perl ma PHP e mafai ona e sola ese mai faʻamaumauga na tuʻuina atu e le tagata faʻaoga e taofia ai le tui SQL.
O le faʻaopoopoga MySQL mo PHP e maua ai le mysqli_real_escape_string() galuega e sola ese mai ai faʻamatalaga faʻapitoa.
if (get_magic_quotes_gpc()) { $name = stripslashes($name); } $name = mysqli_real_escape_string($conn, $name); mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Tu'itu'i i Fa'amatalaga Pei
Pe a fesiligia pei, afai e ulufale le tagata faʻaoga i mea taua ma le "_" ma le "%", o le a tupu lenei mea: na manaʻo le tagata faʻaoga muamua e fesili "abcd_", ae o faʻaiʻuga o fesili e aofia ai le "abcd_", "abcde", ma le "abcdf "Etc.; o le faʻafitauli e tupu foi pe a manaʻo le tagata faʻaoga e fesili "30%" (faʻaaliga: tolusefulu pasene).
I se PHP script e mafai ona tatou faʻaogaina le addcslashes () galuega e faʻatautaia ai le tulaga o loʻo i luga, e pei o le faʻataʻitaʻiga lea:
$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_"); // $sub == \%something\_ mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
O le addcslashes() galuega e fa'aopoopoina ai se fa'ailoga pito i tua a'o le'i o'o i le uiga fa'apitoa.
Fa'asologa o upu:
addcslashes(string,characters)
Parakalafa | faamatalaga |
---|---|
mānoa | Manaomia.Fa'ailoa mai le manoa e siaki. |
tagata | Filifili.Fa'amaoti le uiga po'o le tele o mata'itusi e a'afia i addcslashes(). |
Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) faʻasoa "E faʻafefea ona taofia e MySQL le tui sql? SQL Injection Principles and Prevention" e fesoasoani ia te oe.
Fa'afeiloa'i e fa'asoa le so'otaga o lenei tusitusiga:https://www.chenweiliang.com/cwl-500.html
Faʻafeiloaʻi i le Telegram channel o le blog a Chen Weiliang e maua ai faʻamatalaga lata mai!
📚 O lenei taʻiala o loʻo i ai le taua tele, 🌟O se avanoa e seasea maua, aua le misia! ⏰⌛💨
Faasoa ma fiafia pe a e fiafia i ai!
O lau fefa'asoaa'i ma le fiafia o la matou fa'aosofiaga faifaipea!