1. 首頁
  2. 問答
  3. 我怎樣才能防止與codeiginiter sql注入

我怎樣才能防止與codeiginiter sql注入

2013-05-07 57 views
0

我想阻止我的注射聲明,但我對活動記錄和查詢綁定感到困惑。我怎樣才能防止與codeiginiter sql注入

這是我當前的mysql查詢名爲results。

$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id 
FROM exp_members as em 
    INNER JOIN transactions as t on (em.member_id = t.cardid-10000000) 
    INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id) 
    INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id) 
    INNER join exp_member_data as emd on em.member_id = emd.member_id 
WHERE em.member_id = '".($_GET['cardid']-10000000)."'");

這就是我試圖防止mysql注入。這足夠安全嗎?

$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id 
FROM exp_members as em 
    INNER JOIN transactions as t on (em.member_id = t.cardid-10000000) 
    INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id) 
    INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id) 
    INNER join exp_member_data as emd on em.member_id = emd.member_id 
WHERE em.member_id = '".$this->db->escape(($_GET['cardid']-10000000))."'");

但是,這也是一個選項或?

$this->load->database(); 
$this->load->library('table'); 

$this->db->select(' t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id'); 
$this->db->from('exp_members'); 
$this->db->join('transactions', 'exp_members.member_id = transactions.cardid-10000000', 'inner'); 
$this->db->join('exp_channel_titles', 'transactions.restaurant_id = exp_channel_titles.entry_id', 'inner'); 
$this->db->join('exp_channel_data', 'exp_channel_titles.entry_id = exp_channel_data.entry_id', 'inner'); 
$this->db->join('exp_member_data', 'exp_members.member_id = exp_member_data.member_id', 'inner'); 
$this->db->where('exp_members.member_id', $this->db->escape(($_GET['cardid']-10000000))); 
$query = $this->db->get(); 
echo $query;

這是安全的還是正確的方法,或者我錯過了什麼。

來源

2013-05-07 Zaz

回答

1

最後兩種方法是正確的,以避免SQL注入。在最後的代碼中,使用Active Record,你不需要調用escape,因爲CodeIgniter會自動執行它。

來源

2013-05-07 21:10:05

+0

在方法NR 2:這是右_______________ WHERE em.member_id =「」 $這 - > DB->逃逸(($ _ GET。 - 「); [ 'CardId中'] 10000000))」。「或 WHERE em.member_id ='?'「,array($ this-> input-> get('cardid'-10000000))); – Zaz 2013-05-07 21:22:34

+0

兩者都是正確的,但第二種方法更清潔。在這兩種方法你不需要寫報價。 $ this-> db-> escape已經添加了引號,你只需要寫em.member_id =?並且CodeIgniter將自動設置引號 http://ellislab.com/codeigniter/user-guide/database/queries.html – 2013-05-07 21:36:00

相關問題

 相關問題