PHP-解决sql注入攻击的方法
[*]YII框架的做法:
1
2
3
4
5
6
7
8
9
10
11
12
/**
* php yii sql Injection
*/
使用addSearchCondition()方法,替换addCondition()方法
$criteria = new CDbCriteria();
$criteria->addSearchCondition('email',$this->email);
$criteria->addSearchCondition('passWord',md5('cfgdc2013+' . $this->password));
//$criteria->addCondition("email='".$this->email."'");
//$criteria->addCondition("passWord='".md5('cfgdc2013+' . $this->password)."'");
//$criteria->addCondition("passWord='". $this->password."'");
$this->user = Users::model()->findAll($criteria);
[*]mysql做法:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
function check_input($value)
{
// 去除斜杠
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// 如果不是数字则加引号
//if (!is_numeric($value))
//{
$value = mysql_real_escape_string($value);
//}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// 进行安全的 SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>
[*]sqlit做法:
页:
[1]