在用HTML/CSS构建网站后,我只是在学习PHP和脚本的基础知识。我正在尝试制作一个提交到数据库的简单表单,只收集电子邮件地址和名称。下面是我正在使用的基本代码。我对它做了一些调整,但没什么大的。我知道我需要清理这些数据,我已经读了几十篇关于如何做到这一点的文章,我只是不知道如何添加escape_string或PHP函数。我以为我做到了,我已经尝试了几十种方法,但当我测试时,它们似乎没有任何区别。我知道这只是我一时的无知,但我有点执拗,所以任何帮助都会很棒。
<?php
$con = mysql_connect("localhost","peter","abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("my_db", $con);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
@rwhite35这是最终结果吗?
<?php
// sanitize a string in prep for passing a single argument to system() (or similar)
function sanitize_system_string($string, $min='', $max='')
{
$pattern = '/(;|'||`|>|<|&|^|"|'."'n|'r|'".'|{|}|[|]|')|'()/i';
// no piping, passing possible environment variables ($),
// seperate commands, nested execution, file redirection,
// background processing, special commands (backspace, etc.), quotes
// newlines, or some other special characters
$string = preg_replace($pattern, '', $string);
//make sure this is only interpreted as ONE argument
$string = '"'.preg_replace('/'$/', ''''$', $string).'"';
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return $string;
}
$con = mysql_connect("localhost","root","root");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("form-try", $con);
$firstname = sanitize_system_string($_POST['firstname'],2,44);
$lastname = sanitize_system_string($_POST['lastname'],2,44);
$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES
('$_POST[firstname]','$_POST[lastname]','$_POST[age]')";
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record added";
mysql_close($con);
?>
您的代码容易出现SQL注入。使用PDO或MYSQLI
使用PDO扩展的示例:
<?php
$stmt = $dbh->prepare("INSERT INTO Persons (FirstName, LastName, Age) VALUES (?,?,?)");
$stmt->bindParam(1, $_POST[firstname]);
$stmt->bindParam(2, $_POST[lastname]);
$stmt->bindParam(3, $_POST[age]);
$stmt->execute();
?>
这将允许您插入带有单引号的记录。
我认为吴宇森指的是您将$_POST[名字]直接传递到INSERT语句中。这很危险。下面是我用来清理输入的简单函数,然后我将使用mysqli进行查询。这是一种"腰带和吊带"的方法。
// sanitize a string in prep for passing a single argument to system() (or similar)
function sanitize_system_string($string, $min='', $max='')
{
$pattern = '/(;|'||`|>|<|&|^|"|'."'n|'r|'".'|{|}|[|]|')|'()/i';
// no piping, passing possible environment variables ($),
// seperate commands, nested execution, file redirection,
// background processing, special commands (backspace, etc.), quotes
// newlines, or some other special characters
$string = preg_replace($pattern, '', $string);
//make sure this is only interpreted as ONE argument
$string = '"'.preg_replace('/'$/', ''''$', $string).'"';
$len = strlen($string);
if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
return FALSE;
return $string;
}
然后在稍后处理表单数据的代码中。。。
$firstname = sanitize_system_string($_POST['firstname'],2,44);
$lastname = sanitize_system_string($_POST['lastname'],2,44);
此过程将实例化变量$firstname和$lastname,并使用函数sance_system_string的结果;它将删除$_POST变量中的"{,<,&,`,;"等字符。这些字符可以由mysql引擎作为命令读取。此外,它还设置了最小和最大字符数。输入必须至少为2个字符,最多不超过44个字符。祝好运