Chen Weiliang blog network kukwidziridzwa LOGO

MySQL inodzivirira sei sql jekiseni? SQL jekiseni musimboti uye kudzivirira

MySQLNzira yekudzivirira sei sql jekiseni? SQL jekiseni musimboti uye kudzivirira

MySQL uye SQL jekiseni

Kana iwe ukatora iyo data yakaiswa nemushandisi kuburikidza newebhu peji uye woiisa mu aMySQL database, ipapo panogona kunge paine matambudziko ekuchengetedza majekiseni eSQL.

Ichi chitsauko chinokuzivisa iwe nzira yekudzivirira SQL jekiseni uye kushandisa zvinyorwa kusefa mavara majekiseni muSQL.

Iro rinodaidzwa kuti jekiseni reSQL nderekunyengera sevha kuti iite mirairo yakaipa yeSQL nekuisa SQL mirairo muwebhu fomu kuti itumire kana kuisa tambo yemubvunzo yezita rezita kana peji yekukumbira.

Hatifanire kuvimba nekuisa mushandisi, isu tinofanirwa kufunga kuti data rekuisa mushandisi haina kuchengetedzeka, uye isu tese tinoda kusefa data rekuisa mushandisi.

Mumuenzaniso unotevera, zita rekushandisa rinofanira kunge riri musanganiswa wemavara, manhamba, uye underscores, uye zita rekushandisa rinofanira kuva pakati pe8 ne20 mavara kureba:

if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
   $result = mysqli_query($conn, "SELECT * FROM users 
                          WHERE username=$matches[0]");
}
 else 
{
   echo "username 输入异常";
}

Ngatitarisei mamiriro eSQL anoitika kana pasina mavara akasarudzika anosefa:

// 设定$name 中插入了我们不需要的SQL语句
$name = "Qadir'; DELETE FROM users;";
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Muchirevo chejekiseni chiri pamusoro, hatina kusefa musiyano we$name.Chirevo cheSQL chatisingadi chakaiswa mu$name, chinobvisa data rese mutafura yevashandisi.

mysqli_query() muPHP haibvumidzwe kuita akawanda SQL zvirevo, asi SQLite nePostgreSQL zvinogona kuita akawanda SQL zvirevo panguva imwe chete, saka isu tinofanirwa kunyatso simbisa iyo data yevashandisi ava.

Kudzivirira SQL jekiseni, isu tinofanirwa kutarisisa kune anotevera mapoinzi:

  • 1. Usambofa wakavimba nemushandisi.Tarisa mapindiro emushandisi, unogona kushandisa matauriro akajairwa, kana kudzikamisa urefu; shandura makotesheni ega uye kaviri "-", nezvimwe.
  • 2. Usamboshandisa dynamic assembly sql, unogona kushandisa parameterized sql kana kushandisa zvakananga maitiro akachengetwa emubvunzo wedata uye kuwana.
  • 3. Usambofa washandisa dhatabhesi yekubatanidza nerubatsiro rwemaneja, shandisa zvakapatsanurwa dhatabhesi kubatanidza ine rombo rakanaka kune yega yega application.
  • 4. Usachengete ruzivo rwakavanzika zvakananga, encrypt kana hash out password uye ruzivo rwakadzama.
  • 5. Ruzivo rwekusarudzika rwechishandiso runofanira kupa mazano mashoma sezvinobvira, uye zviri nani kushandisa ruzivo rwekukanganisa kwetsika kuputira ruzivo rwekutanga kukanganisa.
  • 6. Nzira yekuona yesql jekiseni inowanzotora rubatsiro软件Kana iyo webhusaiti chikuva chekuona, software inowanzo shandisa sql jekiseni yekuona chishandiso jsky, iyo webhusaiti chikuva ine Yisi webhusaiti kuchengetedza chikuva chekuongorora chishandiso. MDCSOFT SCAN et al.Kushandisa MDCSOFT-IPS inogona kunyatso kudzivirira kubva kuSQL jekiseni, XSS kurwiswa, nezvimwe.

Dzivirira SQL Injection

Mumitauro yekunyora sePerl uye PHP unogona kutiza data rakaiswa nemushandisi kudzivirira jekiseni reSQL.

Iyo MySQL yekuwedzera yePHP inopa iyo mysqli_real_escape_string() basa kutiza akakosha ekuisa mavara.

if (get_magic_quotes_gpc()) 
{
  $name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Jekiseni mune Like Statements

Paunenge uchibvunza senge, kana mushandisi akaisa kukosha ne "_" uye "%", izvi zvichaitika: mushandisi pakutanga aida kubvunza "abcd_", asi mhinduro yemubvunzo inosanganisira "abcd_", "abcde", uye "abcdf " Etc.; dambudziko rinoitikawo kana mushandisi achida kubvunza "30%" (chinyorwa: makumi matatu muzana).

Mune PHP script tinogona kushandisa iyo addcslash () basa kubata mamiriro ari pamusoro, semumuenzaniso unotevera:

$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
 mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

Iyo addcslash () basa rinowedzera backslash pamberi peiyo yakataurwa hunhu.

Syntax fomati:

addcslashes(string,characters)
paramendetsananguro
tamboZvinodiwa.Inotsanangura tambo yekutarisa.
vatambiOptional.Inotsanangura hunhu kana huwandu hwemavara akabatwa neaddcslash ().

Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) yakagovaniswa "MySQL inodzivirira sei sql jekiseni? sql jekiseni musimboti uye kudzivirira", ichakubatsira iwe.

Welcome to share link yechinyorwa chino:https://www.chenweiliang.com/cwl-500.html

Tikugashirei kuTeregiramu chiteshi cheChen Weiliang's blog kuti uwane zvichangobva kuitika!

Dzvanya apa kuti ubatane neTeregiramu chiteshi izvozvi

🔔 Iva wekutanga kuwana yakakosha "ChatGPT Yemukati Yekushambadzira AI Chishandiso Chekushandisa Guide" muchiteshi chepamusoro dhairekitori! 🌟
📚 Iri gwara rine kukosha kukuru, 🌟Uyu mukana usingawanzo, usapotsa! ⏰⌛💨
Govera uye like kana uchida!
Kugovera kwako uye kuda ndiko kukurudzira kwedu kunoramba kuripo!

 

发表 评论

Kero yako yeemail haizoburitswe. Minda inodiwa inoshandiswa * Chitaera

Copyright © Chen Weiliang Blog All Rights Reserved
skrorukira kumusoro