Uhla lwemibhalo ye-athikili
MySQLUngawuvimbela kanjani umjovo we-sql? Isimiso somjovo we-SQL nokuvimbela
MySQL kanye nomjovo we-SQL
Uma uthatha idatha efakwe umsebenzisi ngekhasi lewebhu bese ulifaka ku-MySQL database, kungase kube nezinkinga zokuphepha komjovo we-SQL.
Lesi sahluko sizokwethula indlela yokuvimbela ukujova kwe-SQL nokusebenzisa imibhalo ukuze uhlunge izinhlamvu ezijovwe ku-SQL.
Lokhu okubizwa ngomjovo we-SQL kuwukukhohlisa iseva ukuthi isebenzise imiyalo ye-SQL enonya ngokufaka imiyalo ye-SQL efomini lewebhu ukuze ihambise noma ifake uchungechunge lombuzo lwegama lesizinda noma isicelo sekhasi.
Akufanele neze sikwethembe okokufaka komsebenzisi, kufanele sicabange ukuthi idatha yokufaka yomsebenzisi ayiphephile, futhi sonke sidinga ukuhlunga idatha yokufaka yomsebenzisi.
Esibonelweni esilandelayo, igama lomsebenzisi elifakiwe kufanele libe inhlanganisela yezinhlamvu, izinombolo, nama-underscore, futhi igama lomsebenzisi kufanele libe phakathi kwezinhlamvu eziyi-8 nezingu-20 ubude:
if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)) { $result = mysqli_query($conn, "SELECT * FROM users WHERE username=$matches[0]"); } else { echo "username 输入异常"; }
Ake sibheke isimo se-SQL esenzeka lapho kungekho zinhlamvu ezikhethekile ezihlungwayo:
// 设定$name 中插入了我们不需要的SQL语句 $name = "Qadir'; DELETE FROM users;"; mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Esitatimendeni somjovo esingenhla, asihlunganga okuhlukile kwe-$name. Isitatimende se-SQL esingasidingi sishuthekwa ku-$name, esizosusa yonke idatha kuthebula labasebenzisi.
mysqli_query() ku-PHP ayivunyelwe ukwenza izitatimende ze-SQL eziningi, kodwa i-SQLite ne-PostgreSQL zingasebenzisa izitatimende ze-SQL eziningi ngesikhathi esisodwa, ngakho-ke sidinga ukuqinisekisa ngokuqinile idatha yalaba basebenzisi.
Ukuvimbela umjovo we-SQL, sidinga ukunaka amaphuzu alandelayo:
- 1. Ungalinge uthembele okokufaka komsebenzisi.Hlola okokufaka komsebenzisi, ungasebenzisa izinkulumo ezivamile, noma ukhawule ubude; guqula izingcaphuno ezizodwa kanye nokuphinda kabili okuthi "-", njll.
- 2. Ungalokothi usebenzise i-dynamic assembly sql, ungasebenzisa i-sql enepharamitha noma usebenzise ngokuqondile izinqubo ezigciniwe zombuzo nokufinyelela idatha.
- 3. Ungalokothi usebenzise uxhumo lwesizindalwazi ngamalungelo omlawuli, sebenzisa ukuxhumana kwesizindalwazi esihlukene namalungelo anomkhawulo wohlelo ngalunye.
- 4. Ungagcini imininingwane eyimfihlo ngokuqondile, bhala ngemfihlo noma ukhiphe amagama ayimfihlo kanye nolwazi olubucayi.
- 5. Ulwazi oluhlukile lohlelo lokusebenza kufanele lunikeze amacebo ambalwa ngangokunokwenzeka, futhi kungcono kakhulu ukusebenzisa ulwazi lwephutha langokwezifiso ukugoqa ulwazi lwephutha lokuqala.
- 6. Indlela yokuthola umjovo we-sql ngokuvamile ithatha isilekeleli软件Noma inkundla yewebhusayithi ukuthola, isofthiwe ngokuvamile isebenzisa ithuluzi lokuthola umjovo we-sql jsky, inkundla yewebhusayithi inethuluzi lokuthola inkundla yokuphepha yewebhusayithi ye-Yisi. I-MDCSOFT SCAN et al.Ukusebenzisa i-MDCSOFT-IPS kungavikela ngempumelelo umjovo we-SQL, ukuhlaselwa kwe-XSS, njll.
Vimbela SQL Injection
Ngezilimi zokubhala ezifana ne-Perl ne-PHP ungakwazi ukubalekela idatha efakwe umsebenzisi ukuvimbela umjovo we-SQL.
Isandiso se-MySQL se-PHP sinikeza umsebenzi we-mysqli_real_escape_string() ukuze ubalekele izinhlamvu zokufaka ezikhethekile.
if (get_magic_quotes_gpc()) { $name = stripslashes($name); } $name = mysqli_real_escape_string($conn, $name); mysqli_query($conn, "SELECT * FROM users WHERE name='{$name}'");
Umjovo ku-Like Statements
Uma ubuza njengokuthi, uma umsebenzisi efaka amanani ngo-"_" kanye "%", lokhu kuzokwenzeka: umsebenzisi ekuqaleni wayefuna ukubuza "abcd_", kodwa imiphumela yombuzo ihlanganisa "abcd_", "abcde", kanye "abcdf " Njll.; inkinga iphinda ibe khona lapho umsebenzisi efuna ukubuza "30%" (inothi: amaphesenti angamashumi amathathu).
Kuskripthi se-PHP singasebenzisa umsebenzi we-addcslashes () ukuphatha lesi simo esingenhla, njengakusibonelo esilandelayo:
$sub = addcslashes(mysqli_real_escape_string($conn, "%something_"), "%_"); // $sub == \%something\_ mysqli_query($conn, "SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
Umsebenzi we-adddcslash () wengeza i-backslash ngaphambi kohlamvu olushiwo.
Ifomethi ye-syntax:
addcslashes(string,characters)
| Ipharamitha | incazelo |
|---|---|
| yezinhlamvu | Kudingeka.Icacisa iyunithi yezinhlamvu okufanele ihlolwe. |
| izinhlamvu | Ongakukhetha.Icacisa uhlamvu noma ububanzi bezinhlamvu ezithintwe ama-addcslash (). |
I-Hope Chen Weiliang Blog ( https://www.chenweiliang.com/ ) kwabelwane ngokuthi "I-MySQL iwuvimbela kanjani umjovo we-sql? sql umjovo isimiso nokuvimbela", kuyokusiza.
Siyakwamukela ukwabelana ngesixhumanisi salesi sihloko:https://www.chenweiliang.com/cwl-500.html
Uyemukelwa esiteshini seTelegram sebhulogi ka-Chen Weiliang ukuze uthole izibuyekezo zakamuva!
📚 Lo mhlahlandlela uqukethe inani elikhulu, 🌟Leli ithuba eliyivelakancane, ungaphuthelwa! ⏰⌛💨
Yabelana futhi uthanda uma uthanda!
Ukwabelana kwakho nokuthanda kwakho kuyisisusa sethu esiqhubekayo!