回复内容:
没有编译就没有注入,避免提交上来的数据被编译就可以了,参数绑定就是避免提交数据被编译的方法。 使用PDO或者MySQLi,有很多封装好的方便的Class。例如使用PHP-PDO-MySQL-Class · GitHub(这个Class使用上比较类似Python的MySQLdb)的话,这样就是安全的:
<span class="cp"><?php</span>
<span class="nv">$DB</span><span class="o">-></span><span class="na">query</span><span class="p">(</span><span class="s2">"SELECT * FROM fruit WHERE name IN (?)"</span><span class="p">,</span><span class="k">array</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'pm1'</span><span class="p">],</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'pm2'</span><span class="p">]));</span>
<span class="nv">$DB</span><span class="o">-></span><span class="na">query</span><span class="p">(</span><span class="s2">"SELECT * FROM users WHERE name=? and password=?"</span><span class="p">,</span><span class="k">array</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'name'</span><span class="p">],</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'pw'</span><span class="p">]));</span>
<span class="cp">?></span><span class="x"></span>
防SQL注入最好的方法就是千万不要自己拼装SQL命令和参数, 而是用PDO的prepare和bind. 原理就在于要把你的SQL查询命令和传递的参数分开:
> prepare的时候, DB server会把你的SQL语句解析成SQL命令.
> bind的时候, 只是动态传参给DB Server解析好的SQL命令.
其他所有的过滤特殊字符串这种白名单的方式都是浮云. 仅仅防止sql注入的话,使用mysqli或者PDO的预编译就行了。用框架的话,要留意框架内部是怎么处理的。拼接sql语句这种做法早就该进历史的垃圾堆了。
此外PDO的预编译有个bug,在5.3.6之前还是会默认调用mysql_*进行拼接,需要设置$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);。 prepare && bind 一下即可。 简单来说,仅仅对于PHP程序的SQL注入,对输入输出的数据进行安全过滤是最主要的方法。
当然说起来简单,真正要做到很复杂,要考虑的细节和因素很多,包括编码、类型、前后逻辑等等,一个处理不慎,反而会弄巧成拙。
因此要做到程序尽可能的安全,需要程序员具有一定的安全意识和知识,从程序的最底层构建上就把安全因素考虑进去。
个人认为国内PHP安全圈的水准还是相当高的,各方面的资料也很多,推荐两个网站,里面有很多相关的资料,有兴趣的可以参考学习下:
http://80vul.com
http://bbs.wolvez.org 一律不能直接使用外来的参数,不要直接构造查询语句,使用statement进行参数填充等等 1、不要随意开启生产环境中Webserver的错误显示。
2、永远不要信任来自用户端的变量输入,有固定格式的变量一定要严格检查对应的格式,没有固定格式的变量需要对引号等特殊字符进行必要的过滤转义。
3、使用预编译绑定变量的SQL语句。
4、做好数据库帐号权限管理。
5、严格加密处理用户的机密信息。
来自 「Web安全之SQL注入攻击技巧与防范」。 给两个办法,匈牙利命名法、注入尝试探测
别瞧不起匈牙利命名法,这货的原意可不是你以为的傻瓜一样在变量名后加上类型名。真正的做法是:未做escape过滤的字符串命令按照你自己的习惯命名,escape后的字符串加上类似_f或_ss这样的suffix。习惯后在写代码的时候自然就会要求传入的字符串都是过滤过的。
注入尝试探测则比较简单:作为黑客来说如果需要进行攻击,会进行多次注入尝试,期间几乎可以肯定会构造出一个无效的sql语句,执行时就会报错了。自己写个数据库的query函数进行封装,如果发现有执行无效的sql语句则通过邮件或其他形式进行报警。
当然…担心SQL注入,都是用拼接字符串做SQL查询的土鳖程序员。正常的程序员会去找个ORM用。 我采用的方法是:
1.对团队成员进行安全培训,找出最常见的攻击方法逐个指导代码内屏蔽方式
2.用nginx之类的反向代理进行url参数过滤,基本能挡住90%的攻击
3.对磁盘文件进行高度权限设定
4.计划任务的脚本对程序源代码定期(比如每小时)执行遍历搜索,一般水平的攻击,都逃不过这个排查
5.对nginx过滤出的危险url进行程序自动分析,对于超过阈值的ip直接防火墙屏蔽
PHP in Action: Real-World Examples and ApplicationsApr 14, 2025 am 12:19 AMPHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.
PHP: Creating Interactive Web Content with EaseApr 14, 2025 am 12:15 AMPHP makes it easy to create interactive web content. 1) Dynamically generate content by embedding HTML and display it in real time based on user input or database data. 2) Process form submission and generate dynamic output to ensure that htmlspecialchars is used to prevent XSS. 3) Use MySQL to create a user registration system, and use password_hash and preprocessing statements to enhance security. Mastering these techniques will improve the efficiency of web development.
PHP and Python: Comparing Two Popular Programming LanguagesApr 14, 2025 am 12:13 AMPHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
The Enduring Relevance of PHP: Is It Still Alive?Apr 14, 2025 am 12:12 AMPHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.
PHP's Current Status: A Look at Web Development TrendsApr 13, 2025 am 12:20 AMPHP remains important in modern web development, especially in content management and e-commerce platforms. 1) PHP has a rich ecosystem and strong framework support, such as Laravel and Symfony. 2) Performance optimization can be achieved through OPcache and Nginx. 3) PHP8.0 introduces JIT compiler to improve performance. 4) Cloud-native applications are deployed through Docker and Kubernetes to improve flexibility and scalability.
PHP vs. Other Languages: A ComparisonApr 13, 2025 am 12:19 AMPHP is suitable for web development, especially in rapid development and processing dynamic content, but is not good at data science and enterprise-level applications. Compared with Python, PHP has more advantages in web development, but is not as good as Python in the field of data science; compared with Java, PHP performs worse in enterprise-level applications, but is more flexible in web development; compared with JavaScript, PHP is more concise in back-end development, but is not as good as JavaScript in front-end development.
PHP vs. Python: Core Features and FunctionalityApr 13, 2025 am 12:16 AMPHP and Python each have their own advantages and are suitable for different scenarios. 1.PHP is suitable for web development and provides built-in web servers and rich function libraries. 2. Python is suitable for data science and machine learning, with concise syntax and a powerful standard library. When choosing, it should be decided based on project requirements.
PHP: A Key Language for Web DevelopmentApr 13, 2025 am 12:08 AMPHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SublimeText3 Linux new version
SublimeText3 Linux latest version
Dreamweaver Mac version
Visual web development tools
Zend Studio 13.0.1
Powerful PHP integrated development environment
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
