Chen Weiliang blog fa'alauiloa feso'otaiga LOGO

E faʻafefea ona taofia e MySQL le tui sql? SQL tui mataupu faavae ma le puipuiga

MySQLE faʻafefea ona puipuia le tui sql? SQL tui mataupu faavae ma le puipuiga

MySQL ma tui SQL

Afai e te ave faʻamatalaga na tuʻuina atu e le tagata faʻaoga e ala i se itulau web ma faʻaofi i totonu o seMySQL database, ona i ai lea o faʻafitauli puipuia ole tui ole SQL.

O lenei mataupu o le a faʻaalia ai pe faʻafefea ona puipuia le tui SQL ma faʻamamaina mataʻitusi o loʻo tui ile SQL e ala i tusitusiga.

O le mea e taʻua o le tui SQL o le faʻasesēina lea o le 'auʻaunaga e faʻataunuʻu tulafono SQL leaga e ala i le faʻaofiina o tulafono SQL i totonu o le upega tafaʻilagi e tuʻuina atu pe faʻapipiʻi le manoa fesili o le igoa ole igoa poʻo le itulau talosaga.

E le tatau ona tatou fa'atuatuaina fa'amatalaga a tagata fa'aoga, e tatau ona tatou manatu e le saogalemu fa'amatalaga fa'aoga a tagata, ma e mana'omia uma ona tatou fa'amama fa'amatalaga fa'aoga o tagata.

I le faʻataʻitaʻiga o loʻo mulimuli mai, o le igoa ole igoa ole igoa e tatau ona tuʻufaʻatasia o mataitusi, numera, ma vase, ma ole igoa ole igoa e tatau ona i le va o le 8 ma le 20 mataitusi umi:

if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
   $result = mysqli_query($conn, "SELECT * FROM users 
                          WHERE username=$matches[0]");
}
 else 
{
   echo "username 输入异常";
}

Sei o tatou tilotilo i le tulaga SQL e tupu pe a leai ni faʻailoga faʻapitoa e faʻamama:

// 设定$name 中插入了我们不需要的SQL语句
$name = "Qadir'; DELETE FROM users;";
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

I le faʻamatalaga o tui o loʻo i luga, matou te leʻi faʻamamaina le fesuiaiga o le igoa $. O le faʻamatalaga SQL matou te le manaʻomia o loʻo tuʻuina i totonu o le $ igoa, lea o le a tape uma ai faʻamatalaga i le laulau faʻaoga.

mysqli_query() i le PHP e le faʻatagaina e faʻatino le tele o faʻamatalaga SQL, ae SQLite ma PostgreSQL e mafai ona faʻatinoina le tele o faʻamatalaga SQL i le taimi e tasi, o lea e manaʻomia ai ona faʻamaonia faʻamaumauga a nei tagata faʻaoga.

Ina ia puipuia le tui SQL, e tatau ona tatou gauai atu i vaega nei:

  • 1. Aua ne'i fa'atuatuaina fa'amatalaga a tagata fa'aoga.Siaki le faʻaoga a le tagata faʻaoga, e mafai ona e faʻaogaina faʻamatalaga masani, pe faʻatapulaʻa le umi; liliu mai upusii tasi ma faalua "-", ma isi.
  • 2. Aua ne'i fa'aogaina le dynamic assembly sql, e mafai ona e fa'aogaina le sql fa'amautu po'o le fa'aogaina sa'o o auala teu mo su'esu'ega fa'amatalaga ma avanoa.
  • 3. Aua ne'i fa'aogaina feso'ota'iga fa'amaumauga ma fa'amanuiaga fa'atonu, fa'aaoga so'oga tu'ufa'atasi tu'ufa'atasi ma avanoa fa'atapula'aina mo talosaga ta'itasi.
  • 4. Aua ne'i teuina fa'amatalaga agatapuia sa'o, fa'ailoga po'o fa'asolo i fafo fa'amatalaga ma'ale'ale.
  • 5. O faʻamatalaga faʻapitoa o le talosaga e tatau ona tuʻuina atu ni nai faʻamatalaga pe a mafai, ma e sili le faʻaogaina o faʻamatalaga sese masani e afifi ai faʻamatalaga sese muamua.
  • 6. Ole auala e iloa ai ole tui ole sql e masani ona faʻaaogaina fesoasoaniPolokalamePo'o le 'upega tafaʻilagi faʻapipiʻi e iloa ai, e masani ona faʻaogaina e le polokalama le sql injection detection tool jsky, ma o le upega tafaʻilagi o loʻo i ai le Yisi website security platform detection tool. MDCOFT SCAN et al.Faʻaaogaina MDCOFT-IPS e mafai ona puipuia lelei mai le tui SQL, osofaʻiga XSS, ma isi.

Taofi SQL tui

I gagana tusitusi e pei o Perl ma PHP e mafai ona e sola ese mai faʻamaumauga na tuʻuina atu e le tagata faʻaoga e taofia ai le tui SQL.

O le faʻaopoopoga MySQL mo PHP e maua ai le mysqli_real_escape_string() galuega e sola ese mai ai faʻamatalaga faʻapitoa.

if (get_magic_quotes_gpc()) 
{
  $name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Tu'itu'i i Fa'amatalaga Pei

Pe a fesiligia pei, afai e ulufale le tagata faʻaoga i mea taua ma le "_" ma le "%", o le a tupu lenei mea: na manaʻo le tagata faʻaoga muamua e fesili "abcd_", ae o faʻaiʻuga o fesili e aofia ai le "abcd_", "abcde", ma le "abcdf "Etc.; o le faʻafitauli e tupu foi pe a manaʻo le tagata faʻaoga e fesili "30%" (faʻaaliga: tolusefulu pasene).

I se PHP script e mafai ona tatou faʻaogaina le addcslashes () galuega e faʻatautaia ai le tulaga o loʻo i luga, e pei o le faʻataʻitaʻiga lea:

$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
 mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

O le addcslashes() galuega e fa'aopoopoina ai se fa'ailoga pito i tua a'o le'i o'o i le uiga fa'apitoa.

Fa'asologa o upu:

addcslashes(string,characters)
Parakalafafaamatalaga
mānoaManaomia.Fa'ailoa mai le manoa e siaki.
tagataFilifili.Fa'amaoti le uiga po'o le tele o mata'itusi e a'afia i addcslashes().

Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) faʻasoa "E faʻafefea ona taofia e MySQL le tui sql? SQL Injection Principles and Prevention" e fesoasoani ia te oe.

Fa'afeiloa'i e fa'asoa le so'otaga o lenei tusitusiga:https://www.chenweiliang.com/cwl-500.html

Faʻafeiloaʻi i le Telegram channel o le blog a Chen Weiliang e maua ai faʻamatalaga lata mai!

Kiliki iinei e auai i le Telegram channel i le taimi nei

🔔 Ia avea oe ma tagata muamua e maua le taua "ChatGPT Content Marketing AI Tool Usage Guide" i le laina pito i luga o le lisi! 🌟
📚 O lenei taʻiala o loʻo i ai le taua tele, 🌟O se avanoa e seasea maua, aua le misia! ⏰⌛💨
Faasoa ma fiafia pe a e fiafia i ai!
O lau fefa'asoaa'i ma le fiafia o la matou fa'aosofiaga faifaipea!

 

发表 评论

O le a le faʻasalalauina lau tuatusi imeli. Faʻaoga fanua e manaʻomia * Igoa

Puletaofia © Chen Weiliang Blog Aia Tatau Uma Faasao
tusi i luga