最受欢迎

XSS&;SQLi预防+从URL获取变量

XSS & SQLi Prevention + Getting variable from URL

本文关键字:URL 获取 变量 预防 amp SQLi XSS | 更新日期: 2023-09-27

我想为我正在做的事情做API,但我不知道如何修复我现在拥有的东西。

我想有一些类似登录的东西,如果密钥是正确的,并匹配数据库中的IP,然后做其他事情

if (isset($_GET['key'])) {
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    $apikey = $_GET['key'];
    //$apikey = mysql_real_escape_string($api);
    echo $apikey."<br />".$ip;
    $mysql_host = "**.***.**.***";
    $mysql_database = "*****";
    $mysql_user = "********";
    $mysql_password = "******************";
    mysql_connect($mysql_host,$mysql_user,$mysql_password);
    @mysql_select_db($mysql_database) or die("Unable to select database");
    $query="SELECT * FROM `api` WHERE `apikey` = '".$apikey."' AND `ip`='".$ip"'";
    $result=mysql_query($query);
    if (!$result) {
        die(mysql_error());
    }
    // assign mySQL values from table to php variables
    $teest = mysql_result($result,1,'apikey');
    echo $teest;
    //close the mySQL connection        
    mysql_close();
} else {
    echo "Usage: api.php?key={YourUniqueKey}";
}

a)提供mysql_*函数的扩展被标记为depeatd。最好使用mysqli或PDO。

b) 将两个参数(作为字符串文字)放入sql查询中。两个(字符串)参数都必须正确编码/转义,这样它们就不会干扰实际的查询(结构)
这是由mysql_real_sescape_string完成的。但是这个函数需要来自连接资源(即连接字符集)的一些信息才能正常工作。因此,只有在通过mysql_connect建立了mysql连接之后,才能调用mysql_real_eescape_string()。

<?php
if ( !isset($_GET['key']) ) {
    echo "Usage: api.php?key={YourUniqueKey}";
}
else {
    if (!empty($_SERVER['HTTP_CLIENT_IP'])) {
        $ip = $_SERVER['HTTP_CLIENT_IP'];
    } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) {
        $ip = $_SERVER['HTTP_X_FORWARDED_FOR'];
    } else {
        $ip = $_SERVER['REMOTE_ADDR'];
    }
    $apikey = $_GET['key'];
    echo htmlspecialchars($apikey)."<br />".htmlspecialchars($ip);
    $mysql_host = "**.***.**.***";
    $mysql_database = "*****";
    $mysql_user = "********";
    $mysql_password = "******************";
    $link = mysql_connect($mysql_host,$mysql_user,$mysql_password) or die('database connection failed');
    mysql_select_db($mysql_database, $link) or die("Unable to select database");
    $query = sprintf(
        "
            SELECT
                COUNT(*)
            FROM
                api
            WHERE
                apikey='%s'
                AND ip='%s'
        ", 
        mysql_real_escape_string($apikey, $link),
        mysql_real_escape_string($ip, $link)
    );
    $result=mysql_query($query, $link);
    if (!$result) {
        die(mysql_error());
    }
    $row = mysql_fetch_row($result);
    if ( '1'==$row[0] ) {
        echo 'yay';
    }
    else {
        echo 'nay';
    }
}
相关文章:
最新更新
www.56WenDa.com 2012-2023 | php问答网 | php学习