PHP |搜索用戶和攻擊的漏洞

Question

我正在使用MySQLi來防止對我的網站進行任何進一步的攻擊。我使用PHP 5.6.16，MySQL的版本：5.7.9，並使用WAMP

有一些奇怪的字符搜索的用戶時，如在搜索框中添加')角色，我現在遇到了下面的錯誤。

MySQL錯誤＃1064和SQLI漏洞

我如何消毒的文本框中輸入和防止任何奇怪的或無法識別的字符進行搜索？

截圖：

代碼：

<?php 
# Essential files, please don't erase it! 
require_once("../functions.php"); 
require_once("../db-const.php"); 
session_start(); 
?> 
<html> 
<head> 

    <script src="script.js" type="text/javascript"></script><!-- put it on user area pages --> 
</head> 
<body> 
    <h1> View Profile </h1> 
<hr /> 
<?php 
if (logged_in() == false) { 
echo "<script> window.alert(\"Please login first!\"); </script>"; 
    redirect_to("login.php"); 
} else { 
    if (isset($_GET['username']) && $_GET['username'] != "") { 
     $username = $_GET['username']; 
    } else { 
     $username = $_SESSION['username']; 
    } 

    ## connect mysql server 
     $mysqli = new mysqli(localhost, root, "", loginsecure); 
     # check connection 
     if ($mysqli->connect_errno) { 
      echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>"; 
      exit(); 
     } 
    ## query database 
     # fetch data from mysql database 
     $sql = "SELECT * FROM users WHERE username ='".$username."' LIMIT 1"; 

     if ($result = $mysqli->query($sql)) { 
      $user = $result->fetch_array(); 
     } else { 
      echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>"; 
      exit(); 
     } 

     if ($result->num_rows == 1) { 
      # calculating online status 
      if (time() - $user['status'] <= (5*200)) { // 300 seconds = 5 minutes timeout 
       $status = "Yes"; 
      } else { 
       $status = "No"; 
      } 

      # echo the user profile data 
      echo "<title> View Profile of: {$user['username']} </title>"; 
      echo " Account Searcher: <br> 
      <form action=\"?username=\" method=\"get\"> 
      Unique ID: <input type=\"text\" name=\"username\" placeholder=\"Searching for user: {$_GET['username']}\"> 
      <input type=\"submit\" value=\"Search\"> 
      </form><hr> 
      "; 
      echo "Unique ID: {$user['id']}\n<br>Username: {$user['username']}\n<br>First Name: {$user['first_name']}\n<br>Last Name: {$user['last_name']}\n<br>Email: {$user['email']}\n<br>Online? $status\n<br>"; 
     } else { // If user doesn't exists - trigger this event 
      echo " Account Searcher: <br> 
      <form action=\"\" method=\"get\"> 
      Username: <input type=\"text\" name=\"username\" placeholder=\"User not found!\"> 
      <input type=\"submit\" value=\"Search\"> 
      </form><hr> 
      "; 
      echo "<title> User doesn't exists! | Prospekt </title> <p><b>Error:</b> User doesn't exist! Please register first!</p>"; 
     } 
} 

// showing the login & register or logout link 
if (logged_in() == true) { 
    echo '<a href="../logout.php">Log Out</a> | <a href="../home.php"> Go to Home </a>'; 
} else { 
    echo '<a href="../login.php">Login</a> | <a href="register.php">Register</a>'; 
} 
?> 
<hr /> 
</body> 
</html> 

Answer 1

您直接發送值到數據庫查詢驗證之前這可能導致dangers.To防止SQL注入有內置的PHP函數，如mysqli_real_escape_string（） 。在於說一個完整的更好的解決方案是使用的PHP編寫的語句與PDO ..

在您的代碼：當你無論是從GET或POST變量採取從用戶的一些數據做這個

<?php 

$uname=$_GET['username']; 
//now validate 
$username=mysqli_real_escape_string($conn,htmlspecialchars($uname)); 
//Now username is somewhat protected.so now use it for sql queries. 

?> 

Answer 2

你代碼容易受到SQL注入的影響。最好的想法是使用預準備語句或pdo參數化查詢。也逃脫絃樂並對其進行消毒。瞭解有關準備對帳單的更多信息：http://php.net/manual/en/mysqli.quickstart.prepared-statements.php