0
您好我正在開發一個網站,從使用Bootstrap的模板Metronic(HTML模板鍋爐)開始。SQL注入指示和解決方案
人們說這段代碼有SQL注入風險。
你能告訴我代碼段壞在哪裏,我該如何解決它?
<div class="container main">
<div class="main_pad">
<?php
if(isset($_GET['ID'])) {
$arrayResult = array();
$query = $dbConnect->query("
SELECT
designers.ID AS ID_designer,
designers.nome AS nome_designer,
designers.immagine AS immagine_designer,
designers.testo_IT AS testo_IT_designer,
designers.testo_EN AS testo_EN_designer,
designers.website AS website_designer,
designers.ID_linea AS ID_linea_designer
FROM
designers
WHERE
ID = '" . $_GET['ID'] . "'
");
$result = $dbConnect->extractObject($query);
if(count($result)>0) {
for($i=0;$i<count($result);$i++) {
$fileParts = pathinfo($result[$i]->immagine_designer);
$basename = substr($fileParts['filename'], 0, -4);
$arrayResult = array(
$result[$i]->ID_designer, // 0
utf8_encode($result[$i]->nome_designer), // 1
$basename . '_640.' . $fileParts['extension'], // 2
utf8_encode($result[$i]->testo_IT_designer), // 3
utf8_encode($result[$i]->testo_EN_designer), // 4
$result[$i]->website_designer, // 5
$result[$i]->ID_linea_designer // 6
);
}
}
?>
<div class="col-lg-6 designer">
<a href="designers.php"><img src="images/left-arrow.png"></a>
<h1><?php echo $arrayResult[1]; ?></h1>
<ul class="top-nav nav-tabs" id="specs" role="tablist">
<li class="active">
<a href="#bio"><?php echo $_SESSION['langPref']=='ENG' ? "BIO" : 'BIOGRAFIA'; ?></a>
</li>
<li>
<a href="#products"><?php echo $_SESSION['langPref']=='ENG' ? "PRODUCTS" : 'PRODOTTI'; ?></a>
</li>
</ul>
<div class="tab-content">
<div class="tab-pane active" id="bio">
<div class="row">
<div class="col-lg-12">
<p style="margin-top: 20px;">
<?php
switch($_SESSION['langPref']){
default :
case 'ENG' :
echo $arrayResult[4];
break;
case 'IT' :
echo $arrayResult[3];
break;
}
?>
</p>
</div>
</div>
</div>
<div class="tab-pane" id="products">
<div class="row">
<div class="col-lg-12">
<?php
$arrayLinesList = array();
foreach(explode(',', $arrayResult[6]) as $lines => $line) {
$arrayLinesList[] = '"' . $line . '",';
}
$query = $dbConnect->query("
SELECT
*
FROM
prodotti
WHERE
prodotti.ID_linea IN (" . substr(implode('', $arrayLinesList), 0, -1) . ")
");
$result = $dbConnect->extractObject($query);
if(count($result)>0) {
echo '<ul style="margin-top: 20px;">';
for($i=0;$i<count($result);$i++) {
$co = '';
if($result[$i]->ID == 58){
$co = '(Claudio Dondoli)';
}elseif($result[$i]->ID == 53 && $_GET['ID'] == 19 || $result[$i]->ID == 40 && $_GET['ID'] == 19 || $result[$i]->ID == 41 && $_GET['ID'] == 19 || $result[$i]->ID == 62 && $_GET['ID'] == 19 || $result[$i]->ID == 63 && $_GET['ID'] == 19) {
$co = '(with Gianfranco Gualtierotti)';
}elseif($result[$i]->ID == 53 && $_GET['ID'] == 7 || $result[$i]->ID == 40 && $_GET['ID'] == 7 || $result[$i]->ID == 41 && $_GET['ID'] == 7 || $result[$i]->ID == 62 && $_GET['ID'] == 7 || $result[$i]->ID == 63 && $_GET['ID'] == 7) {
$co = '(with Giancarlo Vegni)';
}elseif($result[$i]->ID == 26 && $_GET['ID'] == 10 || $result[$i]->ID == 27 && $_GET['ID'] == 10 || $result[$i]->ID == 28 && $_GET['ID'] == 10 || $result[$i]->ID == 29 && $_GET['ID'] == 10 || $result[$i]->ID == 61 && $_GET['ID'] == 10) {
$co = '(with Patricia Urquiola)';
}elseif($result[$i]->ID == 26 && $_GET['ID'] == 18 || $result[$i]->ID == 27 && $_GET['ID'] == 18 || $result[$i]->ID == 28 && $_GET['ID'] == 18 || $result[$i]->ID == 29 && $_GET['ID'] == 18 || $result[$i]->ID == 61 && $_GET['ID'] == 18) {
$co = '(with Sung Sook Kim)';
}
echo '<li><a href="product.php?ID=' . $result[$i]->ID . '">' . utf8_encode($arrayLines[$result[$i]->ID_linea][0]) .' '. $result[$i]->nome .'</a>  ' . ($co) .'</li>';
}
echo '</ul>';
} else {
echo '<p style="margin-top: 20px;">This designer has no products listed here!</p>';
}
?>
</div>
</div>
</div>
</div>
</div><!-- /.left_cont -->
<div class="col-lg-6 right_cont">
<img src="admin/assets/admin/layout/img/designers/<?php echo $arrayResult[2]; ?>" class="img-responsive" />
</div><!-- /.right_cont -->
<?php
}
?>
可能重複[我怎樣才能防止SQL注射在PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Thilo 2015-02-12 09:18:18