一、SQL注入實例

后臺的插入語句代碼：

$unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");

當POST的內容為：

value'); DROP TABLE table;--

以上的整個SQL查詢語句變成：

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')

二、防止SQL注入措施

1.使用預處理語句和參數化查詢。（‘Use prepared statements and parameterized queries.’）?

SQL語句和查詢的參數分別發送給數據庫服務器進行解析。這種方式有2種實現：?

（1）使用PDO（PHP data object）

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name'); $stmt->execute(array('name' => $name)); foreach ($stmt as $row) { // do something with $row }

（2）使用MySQLi

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?'); $stmt->bind_param('s', $name); $stmt->execute(); $result = $stmt->get_result(); while ($row = $result->fetch_assoc()) { // do something with $row }

2.對查詢語句進行轉義（最常見的方式）

$unsafe_variable = $_POST["user-input"]; $safe_variable = mysql_real_escape_string($unsafe_variable); mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')"); $mysqli = new mysqli("server", "username", "password", "database_name"); // TODO - Check that connection was successful. $unsafe_variable = $_POST["user-input"]; $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)"); // TODO check that $stmt creation succeeded // "s" means the database expects a string $stmt->bind_param("s", $unsafe_variable); $stmt->execute(); $stmt->close(); $mysqli->close();

3.限制引入的參數

$orders = array("name","price","qty"); //field names $key = array_search($_GET['sort'],$orders)); // see if we have such a name $orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :) $query = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe

4.對引入參數進行編碼

SELECT password FROM users WHERE name = 'root' --普通方式 SELECT password FROM users WHERE name = 0x726f6f74 --防止注入 SELECT password FROM users WHERE name = UNHEX('726f6f74') --防止注入 set @INPUT = hex("%實驗%"); select * from login where reset_passwd_question like unhex(@INPUT) ;

轉自 :?http://blog.csdn.net/ty_hf/article/details/49076807?locationNum=14&fps=1

總結

以上是生活随笔為你收集整理的Mysql数据库安全性问题【防注入】的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。