当前位置: 首页 » php

how safe are PDO prepared statements

Started using PDO prepared statements not too long ago, and, as i understand, it does all the escaping/security for you. for example, assuming $_POST['title'] is a form field. $title = $_POST['title']; $query = "insert into blog(userID, title) values (?, ?)" $st = $sql->prepare($query); $st->bindParam(1, $_SESSION['user']['userID'], PDO::PARAM_INT); $st->bindParam(2, $title);

2018-07-03 14:47:34

PDO准备好的报表有多安全

不久前开始使用PDO准备好的语句,并且据我所知,它为您完成所有转义/安全性。 例如,假设$ _POST ['title']是一个表单字段。 $title = $_POST['title']; $query = "insert into blog(userID, title) values (?, ?)" $st = $sql->prepare($query); $st->bindParam(1, $_SESSION['user']['userID'], PDO::PARAM_INT); $st->bindParam(2, $title); $st->execute(); 这真的很安全吗? 我还需要做其他什么吗

2018-07-03 14:47:33

Mysql and PHP Problem?

似乎有一个解析错误,我的MySQL和PHP代码可以帮助我清理这些代码。 $tag = mysql_real_escape_string($_POST['tag']); $query = 'UPDATE tags SET count = count+1 WHERE tag = '.$tag; mysql_query($query,$dbc); if( !mysql_affected_rows() ) { $query = 'INSERT INTO tags (tag,count) VALUES('.$tag.',1)'; if (mysql_query($query,$dbc)); { die(

2018-07-03 14:45:28

Mysql和PHP的问题?

似乎有一个解析错误,我的MySQL和PHP代码可以帮助我清理这些代码。 $tag = mysql_real_escape_string($_POST['tag']); $query = 'UPDATE tags SET count = count+1 WHERE tag = '.$tag; mysql_query($query,$dbc); if( !mysql_affected_rows() ) { $query = 'INSERT INTO tags (tag,count) VALUES('.$tag.',1)'; if (mysql_query($query,$dbc)); { die(

2018-07-03 14:45:28

Warning: mysqli

I try make php login but i get this error: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given, what I do wrong? register.php <!doctype html> <html lang"fi"> <head> <link rel="icon" type='image/png' href='images/logo.png'> <title> asd </title> <link href="css/styles.css" type="text/css" rel="stylesheet"> </head> <body>

2018-07-03 14:41:18

警告:mysqli

我尝试使php登录,但我得到这个错误: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given,我做错了什么? register.php <!doctype html> <html lang"fi"> <head> <link rel="icon" type='image/png' href='images/logo.png'> <title> asd </title> <link href="css/styles.css" type="text/css" rel="stylesheet"> </head> <body> <!--r

2018-07-03 14:41:17

Hosting on Android: Backing up by cloning to external SD card?

I'm hosting a small website on a pretty budget android tablet. If it were to fail, I would essentially lose my files. To get around this, I'm thinking of using PHP copy(); to clone the main directory to the tablet's SD card at my request. Is this a good idea, or not? What are the risks? While this is happening, will PHP still continue to run other scripts? The directory that

2018-07-03 14:18:52

在Android上托管:通过克隆到外部SD卡备份?

我正在一个漂亮的预算Android平板电脑上托管一个小网站。 如果失败了,我基本上会丢失我的文件。 为了解决这个问题,我正在考虑使用PHP copy(); 根据我的要求将主目录克隆到平板电脑的SD卡上。 这是一个好主意,还是不是? 有什么风险? 发生这种情况时,PHP会继续运行其他脚本吗? 将被克隆的目录仅包含网页,所有图像已被移入另一个文件夹。 以下是我计划完成的方式: include("adminverify.php"); if(isset($_

2018-07-03 14:18:52

SQL Injection in server

We had a security audit on our code, and they mentioned that our code is vulnerable to SQL Injection attack. Explanation- Below code ($rResult = mysql_query( $sQuery, $gaSql['link'] ) or die(mysql_error());) of server_processing.php invokes a SQL query built using input coming from an untrusted source. This call could allow an attacker to modify the statement's meaning or to execut

2018-07-03 13:08:35

服务器中的SQL注入

我们对代码进行了安全审计,他们提到我们的代码容易受到SQL注入攻击。 解释 - server_processing.php的下面代码($ rResult = mysql_query($ sQuery,$ gaSql ['link'])或die(mysql_error());)会调用使用来自不可信源的输入构建的SQL查询。 此调用可能允许攻击者修改语句的含义或执行任意的SQL命令。 /* * SQL queries * Get data to display */ $sQuery = " SELECT SQL_CALC_FOU

2018-07-03 13:08:34

still got sql injection hacked using PDO parameterized query

I have inherited an old php based website that keeps getting hacked. Per the information I found here: How can I prevent SQL injection in PHP?, I updated the sql queries using PDO parameterized queries. We got hacked last week again and it looked like a sql injection attack. All of the usernames were deleted from the user table and replaced with their own information. Then the hackers were a

2018-07-03 13:06:30

仍然使用PDO参数化查询攻击了SQL注入

我继承了一个老的基于php的网站,不断遭到黑客入侵。 根据我在这里找到的信息:我如何防止PHP中的SQL注入?我更新了使用PDO参数化查询的SQL查询。 我们上周再次遭到黑客攻击,看起来像是一次SQL注入攻击。 所有用户名都从用户表中删除,并用自己的信息替换。 然后,黑客能够进入该网站的管理部分,并造成各种破坏。 参数化查询怎么会发生这种情况? 看到我的代码如下 - 我错过了什么? 我将更改用于此查询的db登录名的

2018-07-03 13:06:30

re SQL Injection Attack using MySQL, what are baseline requirements?

In current project using MySQL. Looking into the mysqli functions, found them to be very difficult to use. In my opinion, any programmer using the library should have a Medal of Honor. Three problems: mysqli does not handle NULL or functions such as CURRENT_DATE it is impossible to use paramterized SQL statements for queries with random WHERE clauses (so how do you prevent SQL Injection a

2018-07-03 13:05:28

使用MySQL重新SQL注入攻击,什么是基线要求?

在当前使用MySQL的项目中。 研究mysqli函数,发现它们很难使用。 在我看来,任何使用该库的程序员都应该获得荣誉勋章。 三个问题: mysqli不处理NULL或函数,如CURRENT_DATE 使用随机WHERE子句的查询使用参数化SQL语句是不可能的(所以如何防止SQL注入攻击?) 在我看来,在复杂情况下使用sqli工作太多了(请参阅链接) PDO不能解决任何这些问题。 问题是SQL注入:如果不使用参数化查询,PDO如何帮助SQL注入? 记

2018-07-03 13:05:27

string() a good defense against SQL Injection?

This question already has an answer here: Can I protect against SQL Injection by escaping single-quote and surrounding user input with single-quotes? 18 answers How can I prevent SQL injection in PHP? 28 answers SQL injection that gets around mysql_real_escape_string() 4 answers NO is_string() will not protect against SQL injection, a numeric payload will not be able to cause any tabl

2018-07-03 13:03:23

string()可以很好地防御SQL注入?

这个问题在这里已经有了答案: 我可以通过用单引号转义单引号和周围的用户输入来防止SQL注入吗? 18个答案 我如何防止PHP中的SQL注入? 28个答案 SQL注入绕过mysql_real_escape_string()4个答案 没有 is_string()不会防止SQL注入,无论如何,数字有效负载不会导致任何表损坏或不必要的访问,并且字符串清理不能防止所有SQL注入。 我应该给你一些关于为什么准备好的声明是惊人的,但是你自己指出问题的关键是指出

2018-07-03 13:03:23

Is there any way to SQL inject in my code?

This question already has an answer here: SQL injection that gets around mysql_real_escape_string() 4 answers How can I prevent SQL injection in PHP? 28 answers Yes there is. You are solely relying on mysql_real_escape_string which has been deprecated. Furthermore you should build some of your own logic tests based on a range of input that you are expecting. You might want to use RegExp

2018-07-03 13:02:21

有没有办法在我的代码中注入SQL?

这个问题在这里已经有了答案: SQL注入绕过mysql_real_escape_string()4个答案 我如何防止PHP中的SQL注入? 28个答案 就在这里。 您完全依赖于已弃用的mysql_real_escape_string 。 此外,你应该根据你所期望的一系列输入建立一些你自己的逻辑测试。 您可能想要使用RegExp或其他一些修剪功能,但不要仅依赖于mysql_real_escape_string 。 你应该写一些逻辑来测试你所期望的数据。 您可以查看http://php.net/manu

2018-07-03 13:02:21

Someone has dropped a table in my database. How?

This question already has an answer here: SQL injection that gets around mysql_real_escape_string() 4 answers he probably entered the next string '1'; ; If I'm not mistaken, this php function will not prevent sql injection, it only make sure the sql string is legal and SELECT categories.id AS cid, categories.title AS ctitle FROM categories WHERE cid='-1'; SQL INJECTION

2018-07-03 13:01:19

有人在我的数据库中放了一张桌子。 怎么样?

这个问题在这里已经有了答案: SQL注入绕过mysql_real_escape_string()4个答案 他可能输入了下一个字符串'1'; ; 如果我没有弄错,这个php函数不会阻止sql注入,它只会确保sql字符串是合法的并且SELECT categories.id AS cid,categories.title AS ctitle FROM categories WHERE cid =' - 1'; SQL注入字符串; 是sql的合法字符串 你采取了措施,以确保SQL注入是不可能的? 防止注入的一些方法是在

2018-07-03 13:01:19