MySQLUkuthintela njani ukutofa kwe-sql? SQL naliti umgaqo kunye nothintelo
MySQL kunye nenaliti yeSQL
Ukuba uthatha idatha efakwe ngumsebenzisi ngephepha lewebhu kwaye uyifake kwi-aMySQL database, ngoko ke kunokubakho iingxaki zokhuseleko lwenaliti yeSQL.
Esi sahluko siza kwazisa indlela yokuthintela inaliti ye-SQL kunye nokucoca abalinganiswa abatofwayo kwi-SQL ngokusebenzisa izikripthi.
Into ebizwa ngokuba yinaliti ye-SQL kukukhohlisa umncedisi ukuba aphumeze imiyalelo engalunganga ye-SQL ngokufaka imiyalelo ye-SQL kwifomu yewebhu ukungenisa okanye ukufaka umtya wombuzo wegama lommandla okanye isicelo sephepha.
Akufunekanga sithembe igalelo lomsebenzisi, kufuneka sicinge ukuba idatha yegalelo lomsebenzisi ayikhuselekanga, kwaye sonke kufuneka sihluze idatha yegalelo lomsebenzisi.
Kulo mzekelo ulandelayo, igama lomsebenzisi elingenisiweyo kufuneka libe yintlanganisela yoonobumba, amanani, kunye ne-underscore, kwaye igama lomsebenzisi kufuneka libe phakathi kwe-8 kunye ne-20 yamagama ubude:
if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)) { $result = mysqli_query($conn, "SELECT * FROM users WHERE username=$matches[0]"); } else { echo "username 输入异常"; }
Makhe sijonge imeko yeSQL eyenzeka xa abalinganiswa abakhethekileyo bengahluzwanga:
// 设定$name 中插入了我们不需要的SQL语句 $name = "Qadir'; DELETE FROM users;"; mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Kwisiteyitimenti senaliti engentla, asizange sihluze ukuguquguquka kwegama le-$, kwaye isitatimende seSQL esingasifuniyo sifakwe kwigama le-$, eliya kucima yonke idatha kwitafile yabasebenzisi.
mysqli_query () kwi-PHP ayivumelekanga ukwenza iingxelo ezininzi ze-SQL, kodwa kwi-SQLite kunye ne-PostgreSQL, iingxelo ezininzi ze-SQL zinokuphunyezwa ngexesha elinye, ngoko kufuneka siqinisekise ngokungqongqo idatha yaba basebenzisi.
Ukuthintela inaliti yeSQL, kufuneka sinikele ingqalelo kula manqaku alandelayo:
- 1. Ungaze uthembe igalelo lomsebenzisi.Jonga igalelo lomsebenzisi, ungasebenzisa amabinzana aqhelekileyo, okanye unciphise ubude; guqula ucaphulo olunye kwaye kabini "-", njl.
- 2. Ungaze usebenzise i-sql ye-dynamic assembly, ungasebenzisa i-parameterized sql okanye usebenzise ngokuthe ngqo iinkqubo ezigciniweyo zombuzo wedatha kunye nokufikelela.
- 3. Ungaze usebenzise uqhagamshelo lwedathabheyisi ngamalungelo omlawuli, sebenzisa uqhagamshelo lwedathabheyisi eyahlukileyo kunye namalungelo alinganiselweyo kwisicelo ngasinye.
- 4. Musa ukugcina ulwazi oluyimfihlo ngokuthe ngqo, uguqulele ngokufihlakeleyo okanye ukhawuleze ukhuphe amagama ayimfihlo kunye nolwazi olubuthathaka.
- 5. Ulwazi olungaphandle lwesicelo kufuneka lunike iingcebiso ezimbalwa kangangoko, kwaye kungcono ukusebenzisa ulwazi lwemposiso yesiko ukusonga ulwazi lwemposiso yoqobo.
- 6. Indlela yokufumanisa i-sql injection ngokubanzi ithatha i-axiliary软件Okanye iqonga lewebhusayithi ukubhaqa, isoftware ngokuqhelekileyo isebenzisa isixhobo sokubona inaliti yesql jsky, kwaye iqonga lewebhusayithi linesixhobo sokubona iqonga lewebhusayithi yeYisi. MDCSOFT SCAN et al.Ukusebenzisa i-MDCSOFT-IPS inokukhusela ngokufanelekileyo kwi-injection ye-SQL, ukuhlaselwa kwe-XSS, njl.
Thintela SQL Injection
Ngeelwimi zokubhala ezinje ngePerl kunye ne-PHP ungabaleka idatha efakwe ngumsebenzisi ukunqanda inaliti yeSQL.
Ulwandiso lwe-MySQL ye-PHP lubonelela ngomsebenzi we-mysqli_real_escape_string () ukubaleka abalinganiswa begalelo elikhethekileyo.
if (get_magic_quotes_gpc()) { $name = stripslashes($name); } $name = mysqli_real_escape_string($conn, $name); mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Isitofu kwiiNgxelo ezifana
Xa ubuza oku, ukuba umsebenzisi ufaka amaxabiso ngo "_" kunye "%", oku kuyakwenzeka: umsebenzisi wayefuna ukubuza kuqala "abcd_", kodwa iziphumo zombuzo ziquka "abcd_", "abcde", kunye "abcdf". " Njl.; ingxaki ikwabakho xa umsebenzisi efuna ukubuza "30%" (qaphela: amashumi amathathu eepesenti).
Kwiskripthi se-PHP sinokusebenzisa i-addcslashes () umsebenzi ukujongana nale meko ingentla, njengakumzekelo ulandelayo:
$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_"); // $sub == \%something\_ mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
Umsebenzi we addcslashes () wongeza umva emva komlinganiswa okhankanyiweyo.
Ifomathi yesintaksi:
addcslashes(string,characters)
| IParamu | inkcazo |
|---|---|
| umtya | Kufuneka.Ixela umtya oza kujongwa. |
| ngabo | Ukhetho.Ixela umlinganiswa okanye uluhlu lwabalinganiswa abachatshazelwa yi-addcslashes (). |
Ndiyathemba Chen Weiliang Blog ( https://www.chenweiliang.com/ ) kwabelwana "Ngaba iMySQL iyinqanda njani inaliti yesql? sql umgaqo wokutofa kunye nokuthintela", iya kukunceda.
Wamkelekile ukwabelana ngekhonkco leli nqaku:https://www.chenweiliang.com/cwl-500.html
Wamkelekile kwisitishi seTelegram sebhlog kaChen Weiliang ukufumana uhlaziyo lwamva nje!
📚 Esi sikhokelo sinexabiso elikhulu, 🌟Eli lithuba elinqabileyo, ungaliphoswa! ⏰⌛💨
Yabelana kwaye uthanda ukuba uyathanda!
Ukwabelana kwakho kunye nezinto ozithandayo ziyinkuthazo yethu eqhubekayo!