Chen Weiliang blog network promotion LOGO

MySQL e thibela ente ea sql joang? Molao-motheo oa ente ea SQL le thibelo

MySQLMokhoa oa ho thibela ente ea sql? Molao-motheo oa ente ea SQL le thibelo

MySQL le ente ea SQL

Haeba o nka data e kentsoeng ke mosebelisi ka leqephe la webo ebe o e kenya hoMySQL database, ebe ho ka ba le mathata a ts'ireletso ea ente ea SQL.

Khaolo ena e tla u tsebisa mokhoa oa ho thibela ente ea SQL le ho sebelisa mangolo ho sefa litlhaku tse kentsoeng ho SQL.

Seo ho thoeng ke ente ea SQL ke ho thetsa sebatli hore se phethe litaelo tse mpe tsa SQL ka ho kenya litaelo tsa SQL foromong ea tepo ho kenya kapa ho kenya lipotso tsa domain name kapa kopo ea leqephe.

Le ka mohla ha rea ​​​​lokela ho tšepa tlhahiso ea mosebelisi, re tlameha ho nka hore data ea mosebelisi ha ea bolokeha, 'me kaofela re hloka ho sefa data ea mosebelisi.

Mohlaleng o latelang, lebitso la mosebelisi le kentsoeng e tlameha ho ba motswako oa litlhaku, linomoro le li-underscore, 'me lebitso la mosebelisi le be pakeng tsa litlhaku tse 8 le tse 20 ka bolelele:

if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches))
{
   $result = mysqli_query($conn, "SELECT * FROM users 
                          WHERE username=$matches[0]");
}
 else 
{
   echo "username 输入异常";
}

Ha re shebeng boemo ba SQL bo etsahalang ha ho se na litlhaku tse ikhethileng:

// 设定$name 中插入了我们不需要的SQL语句
$name = "Qadir'; DELETE FROM users;";
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Setatementeng se kaholimo sa ente, ha rea ​​sefa phetoho ea $name.Polelo ea SQL eo re sa e hlokeng e kentsoe ho $name, e tla hlakola lintlha tsohle tse tafoleng ea basebelisi.

mysqli_query() ho PHP ha e lumelloe ho etsa lipolelo tse ngata tsa SQL, empa ho SQLite le PostgreSQL, lipolelo tse ngata tsa SQL li ka etsoa ka nako e le 'ngoe, kahoo re hloka ho netefatsa lintlha tsa basebelisi bana ka tieo.

Ho thibela ente ea SQL, re hloka ho ela hloko lintlha tse latelang:

  • 1. Le ka mohla u se ke ua tšepa tlhahiso ea mosebedisi.Lekola tlhahiso ea mosebelisi, o ka sebelisa mantsoe a tloaelehileng, kapa oa fokotsa bolelele; fetolela mantsoe a qotsitsoeng a le mong le "-", joalo-joalo.
  • 2. Le ka mohla u se ke ua sebelisa dynamic assembly sql, u ka sebelisa parameterized sql kapa ka ho toba sebelisa mekhoa e bolokiloeng bakeng sa ho botsa le ho fihlella data.
  • 3. Le ka mohla u se ke ua sebelisa likhokahano tsa database le litokelo tsa batsamaisi, sebelisa likhokahano tse arohaneng tsa database tse nang le litokelo tse fokolang bakeng sa ts'ebeliso ka 'ngoe.
  • 4. U se ke ua boloka boitsebiso ba lekunutu ka ho toba, ua patala kapa ua potlakela ho boloka li-passwords le lintlha tsa bohlokoa.
  • 5. Tlhahisoleseding ea mokhelo ea kopo e lokela ho fana ka malebela a fokolang ka moo ho ka khonehang, 'me ho molemo ho sebelisa tlhaiso-leseling ea phoso ho phuthela lintlha tsa phoso tsa mantlha.
  • 6. Mokhoa oa ho lemoha oa ente ea sql ka kakaretso o amohela thuso软件Kapa sethala sa sebaka sa marang-rang ho lemoha, software ka kakaretso e sebelisa sesebelisoa sa ho bona ente ea sql jsky, sethala sa marang-rang se na le sesebelisoa sa ho lemoha sethala sa ts'ireletso sa Yisi. MDCSOFT SCAN et al.Ho sebelisa MDCSOFT-IPS ho ka itšireletsa ka katleho khahlanong le ente ea SQL, litlhaselo tsa XSS, joalo-joalo.

Thibela Ente ea SQL

Ka lipuo tse ngoloang joalo ka Perl le PHP u ka baleha data e kentsoeng ke mosebelisi ho thibela ente ea SQL.

Katoloso ea MySQL bakeng sa PHP e fana ka ts'ebetso ea mysqli_real_escape_string () ho baleha litlhaku tse ikhethileng.

if (get_magic_quotes_gpc()) 
{
  $name = stripslashes($name);
}
$name = mysqli_real_escape_string($conn, $name);
 mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");

Ente ka Like Statements

Ha u botsa joalo ka, haeba mosebelisi a kenya boleng ka "_" le "%", sena se tla etsahala: qalong mosebelisi o ne a batla ho botsa "abcd_", empa liphetho tsa potso li kenyelletsa "abcd_", "abcde", le "abcdf " Joalo-joalo; bothata bo boetse bo etsahala ha mosebelisi a batla ho botsa "30%" (hlokomela: liperesente tse mashome a mararo).

Sengoliloeng sa PHP re ka sebelisa tšebetso ea addcslashes () ho sebetsana le boemo bo kaholimo, joalo ka mohlala o latelang:

$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_");
// $sub == \%something\_
 mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");

Mosebetsi oa addcslash () o eketsa ho khutlela morao pele ho sebopeho se boletsoeng.

Sebopeho sa syntax:

addcslashes(string,characters)
Paramentetlhaloso
KhoeleHo hlokahala.E totobatsa khoele e lokelang ho hlahlojoa.
litlhakuTaba ea boikhethelo.E hlalosa sebopeho kapa mefuta e mengata ea litlhaku tse anngoeng ke li-addislash().

Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) e arolelane "MySQL e thibela ente ea sql joang? sql molao-motheo oa ente le thibelo", e tla u thusa.

Rea u amohela ho arolelana sehokelo sa sengoloa sena:https://www.chenweiliang.com/cwl-500.html

Rea u amohela ho mocha oa Telegraph oa blog ea Chen Weiliang ho fumana lintlha tsa morao-rao!

Tobetsa mona ho ikopanya le mocha oa Telegraph hona joale

🔔 Eba oa pele oa ho fumana Tataiso ea Tšebeliso ea "ChatGPT Content Marketing AI" ea bohlokoa bukeng ea holimo ea seteishene! 🌟
📚 Tataiso ena e na le boleng bo boholo, 🌟Ona ke monyetla o sa tloaelehang, se ke oa o fetoa! ⏰⌛💨
Share le rata haeba u rata!
Ho arolelana le lintho tseo u li ratang ke khothatso ea rona e tsoelang pele!

 

Comments

Aterese ea hau ea lengolo tsoibila e ke ke ea phatlalatsoa. Ho sebelisoa masimo a hlokahalang * Letšoao

Copyright © Chen Weiliang Blog Litokelo tsohle li sirelelitsoe
tsamaisetsa hodimo