PHP保护数据库的具体代码示例_PHP教程
- WBOY原創
- 2016-07-15 13:29:12960瀏覽
因为数据库管理不善导致数据丢失,为自己带来损失的例子不再少数。我们这次就要讲到下面代码显示了运行 SQL 语句的示例脚本。在本例中,SQL 语句是允许相同攻击的动态语句。此表单的所有者可能认为表单是安全的,因为他们已经把列名限定为选择列表。但是,代码疏忽了关于表单欺骗的最后一个习惯 — 代码将选项限定为下拉框并不意味着其他人不能够发布含有所需内容的表单(包括星号 [*])。
<ol class="dp-xml">
<li class="alt"><span><strong><font color="#006699"><span class="tag"><span class="tag-name">html</span><span class="tag">></span></span></font></strong><span> </span></span></li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">head</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">title</span><span class="tag">></span></span></font></strong><span>SQL Injection Example</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">title</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">head</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">body</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">form</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">id</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"myFrom"</font></span><span> </span><span class="attribute"><font color="#ff0000">action</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"<?php echo $_SERVER['PHP_SELF']; ?>"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">method</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"post"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">div</span><span class="tag">></span><span class="tag"><span class="tag-name">input</span></span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"text"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"account_number"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>="</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> echo(isset($_POST['account_number']) ? </span>
</li>
<li class="">
<span> $_POST['account_number'] : ''); </span><span class="tag"><strong><font color="#006699">?></font></strong></span><span>" </span><span class="tag"><strong><font color="#006699">/></font></strong></span><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">select</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"col"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">option</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"account_number"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span>Account Number</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">option</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">option</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"name"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span>Name</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">option</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">option</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"address"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span>Address</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">option</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">select</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">input</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"Save"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span><strong><font color="#006699"><span class="tag">/></span><span class="tag"></span><span class="tag-name">div</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">form</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> </span>
</li>
<li class="alt"><span>if ($_POST['submit'] == 'Save') { </span></li>
<li class=""><span> /* do the form processing */ </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">link</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_connect</font></span><span>('hostname', 'user', 'password') or </span>
</li>
<li class=""><span> die ('Could not connect' . mysql_error()); </span></li>
<li class="alt"><span> mysql_select_db('test', $link); </span></li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">col</font></span><span> = $_POST['col']; </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">select</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">"SELECT "</font></span><span> . $col . " FROM account_data WHERE </span><span class="attribute"><font color="#ff0000">account_number</font></span><span> = " </span>
</li>
<li class=""><span> . $_POST['account_number'] . ";" ; </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . $select . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">result</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_query</font></span><span>($select) or die('</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . mysql_error() . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'); </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">table</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> while ($</span><span class="attribute"><font color="#ff0000">row</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_fetch_assoc</font></span><span>($result)) { </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">tr</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row[$col] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">tr</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> } </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">table</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> </span></li>
<li class="alt"><span> mysql_close($link); </span></li>
<li class=""><span>} </span></li>
<li class="alt">
<span></span><span class="tag"><strong><font color="#006699">?></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">body</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">html</span><span class="tag">></span></font></strong><span> </span>
</li>
</ol>
因此,要形成PHP保护数据库的习惯,请尽可能避免使用动态 SQL 代码。如果无法避免动态 SQL 代码,请不要对列直接使用输入。下面则显示了除使用静态列外,还可以向帐户编号字段添加简单验证例程以确保输入值不是非数字值。
<ol class="dp-xml">
<li class="alt"><span><strong><font color="#006699"><span class="tag"><span class="tag-name">html</span><span class="tag">></span></span></font></strong><span> </span></span></li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">head</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">title</span><span class="tag">></span></span></font></strong><span>SQL Injection Example</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">title</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">head</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">body</span><span class="tag">></span></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">form</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">id</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"myFrom"</font></span><span> </span><span class="attribute"><font color="#ff0000">action</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"<?php echo $_SERVER['PHP_SELF']; ?>"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">method</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"post"</font></span><span class="tag"><strong><font color="#006699">></font></strong></span><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"><span class="tag-name">div</span><span class="tag">></span><span class="tag"><span class="tag-name">input</span></span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"text"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"account_number"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>="</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> echo(isset($_POST['account_number']) ? </span>
</li>
<li class="">
<span> $_POST['account_number'] : ''); </span><span class="tag"><strong><font color="#006699">?></font></strong></span><span>" </span><span class="tag"><strong><font color="#006699">/></font></strong></span><span> </span><strong><font color="#006699"><span class="tag"><span class="tag-name">input</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">type</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span>
</li>
<li class="alt">
<span> </span><span class="attribute"><font color="#ff0000">value</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"Save"</font></span><span> </span><span class="attribute"><font color="#ff0000">name</font></span><span>=</span><span class="attribute-value"><font color="#0000ff">"submit"</font></span><span> </span><strong><font color="#006699"><span class="tag">/></span><span class="tag"></span><span class="tag-name">div</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">form</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">php</span></font></strong><span> </span>
</li>
<li class=""><span>function isValidAccountNumber($number) </span></li>
<li class="alt"><span>{ </span></li>
<li class=""><span> return is_numeric($number); </span></li>
<li class="alt"><span>} </span></li>
<li class=""><span>if ($_POST['submit'] == 'Save') { </span></li>
<li class="alt"><span> </span></li>
<li class=""><span> /* Remember habit #1--validate your data! */ </span></li>
<li class="alt"><span> if (isset($_POST['account_number']) & </span></li>
<li class=""><span> isValidAccountNumber($_POST['account_number'])) { </span></li>
<li class="alt"><span> </span></li>
<li class=""><span> /* do the form processing */ </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">link</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_connect</font></span><span>('hostname', 'user', 'password') or </span>
</li>
<li class=""><span> die ('Could not connect' . mysql_error()); </span></li>
<li class="alt"><span> mysql_select_db('test', $link); </span></li>
<li class=""><span> </span></li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">select</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">sprintf</font></span><span>("SELECT account_number, name, address " . </span>
</li>
<li class="">
<span> " FROM account_data WHERE </span><span class="attribute"><font color="#ff0000">account_number</font></span><span> = %s;", </span>
</li>
<li class="alt"><span> mysql_real_escape_string($_POST['account_number'])); </span></li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . $select . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> $</span><span class="attribute"><font color="#ff0000">result</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_query</font></span><span>($select) or die('</span><strong><font color="#006699"><span class="tag"><span class="tag-name">p</span><span class="tag">></span></span></font></strong><span>' . mysql_error() . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">p</span><span class="tag">></span></font></strong><span>'); </span>
</li>
<li class=""><span> </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">table</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> while ($</span><span class="attribute"><font color="#ff0000">row</font></span><span> = </span><span class="attribute-value"><font color="#0000ff">mysql_fetch_assoc</font></span><span>($result)) { </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">tr</span><span class="tag">></span></span></font></strong><span>'; </span>
</li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row['account_number'] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row['name'] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="">
<span> echo '</span><strong><font color="#006699"><span class="tag"><span class="tag-name">td</span><span class="tag">></span></span></font></strong><span>' . $row['address'] . '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">td</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">tr</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> } </span></li>
<li class="alt">
<span> echo '</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">table</span><span class="tag">></span></font></strong><span>'; </span>
</li>
<li class=""><span> </span></li>
<li class="alt"><span> mysql_close($link); </span></li>
<li class=""><span> } else { </span></li>
<li class="alt">
<span> echo "</span><strong><font color="#006699"><span class="tag"><span class="tag-name">span</span></span></font></strong><span> </span><span class="attribute"><font color="#ff0000">style</font></span><span>="font-color:red"</span><span class="tag"><strong><font color="#006699">></font></strong></span><span>" . </span>
</li>
<li class="">
<span> "Please supply a valid account number!</span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">span</span><span class="tag">></span></font></strong><span>"; </span>
</li>
<li class="alt"><span> </span></li>
<li class=""><span> } </span></li>
<li class="alt"><span>} </span></li>
<li class="">
<span></span><span class="tag"><strong><font color="#006699">?></font></strong></span><span> </span>
</li>
<li class="alt">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">body</span><span class="tag">></span></font></strong><span> </span>
</li>
<li class="">
<span></span><strong><font color="#006699"><span class="tag"></span><span class="tag-name">html</span><span class="tag">></span></font></strong><span> </span>
</li>
</ol>
在这次PHP保护数据库的例子中还展示了 mysql_real_escape_string() 函数的用法。此函数将正确地过滤您的输入,因此它不包括无效字符。如果您一直依赖于 magic_quotes_gpc,那么需要注意它已被弃用并且将在 PHP V6 中删除。从现在开始应避免使用它并在此情况下编写安全的 PHP 应用程序。此外,如果使用的是 ISP,则有可能您的 ISP 没有启用 magic_quotes_gpc。
最后,在改进的PHP保护数据库示例中,您可以看到该 SQL 语句和输出没有包括动态列选项。使用这种方法,如果把列添加到稍后含有不同信息的表中,则可以输出这些列。如果要使用框架以与数据库结合使用,则您的框架可能已经为您执行了 SQL 验证。确保查阅文档以保证框架的安全性;如果仍然不确定,请进行验证以确保稳妥。即使使用框架进行数据库交互,仍然需要执行其他验证。
陳述:
本文內容由網友自願投稿,版權歸原作者所有。本站不承擔相應的法律責任。如發現涉嫌抄襲或侵權的內容,請聯絡admin@php.cn