我如何防止使用codeigniter进行sql注入[重复]
Posted
技术标签:
【中文标题】我如何防止使用codeigniter进行sql注入[重复]【英文标题】:How can i prevent sql injection with codeiginiter [duplicate] 【发布时间】:2013-05-01 23:08:12 【问题描述】:我想阻止我的语句注入,但我对活动记录和查询绑定感到困惑。
这是我当前的 mysql 查询结果。
$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id
FROM exp_members as em
INNER JOIN transactions as t on (em.member_id = t.cardid-10000000)
INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id)
INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id)
INNER join exp_member_data as emd on em.member_id = emd.member_id
WHERE em.member_id = '".($_GET['cardid']-10000000)."'");
这就是我试图防止 mysql 注入的方法。这够安全吗?
$results = $this->EE->db->query("SELECT t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id
FROM exp_members as em
INNER JOIN transactions as t on (em.member_id = t.cardid-10000000)
INNER JOIN exp_channel_titles as ct on (t.restaurant_id = ct.entry_id)
INNER JOIN exp_channel_data as cd on (ct.entry_id = cd.entry_id)
INNER join exp_member_data as emd on em.member_id = emd.member_id
WHERE em.member_id = '".$this->db->escape(($_GET['cardid']-10000000))."'");
但这也是一种选择吗?
$this->load->database();
$this->load->library('table');
$this->db->select(' t.transactionid, t.transactiontime, t.created, ct.title, cd.field_id_6, cd.field_id_5, cd.field_id_7, t.pricebefordiscount, t.priceafterdiscount, t.error, t.cardid, em.email, emd.m_field_id_2, emd.m_field_id_6, emd.m_field_id_5, emd.m_field_id_7, emd.m_field_id_4, t.restaurant_id');
$this->db->from('exp_members');
$this->db->join('transactions', 'exp_members.member_id = transactions.cardid-10000000', 'inner');
$this->db->join('exp_channel_titles', 'transactions.restaurant_id = exp_channel_titles.entry_id', 'inner');
$this->db->join('exp_channel_data', 'exp_channel_titles.entry_id = exp_channel_data.entry_id', 'inner');
$this->db->join('exp_member_data', 'exp_members.member_id = exp_member_data.member_id', 'inner');
$this->db->where('exp_members.member_id', $this->db->escape(($_GET['cardid']-10000000)));
$query = $this->db->get();
echo $query;
这种方法是否足够安全或正确,或者我错过了什么。
【问题讨论】:
【参考方案1】:最后两种方法是正确的,可以避免 SQL 注入。在最后一个代码中,使用 Active Record,您不需要调用 escape,因为 CodeIgniter 会自动完成。
【讨论】:
在方法 nr 2 中:这是正确的 _______________ WHERE em.member_id = '".$this->db->escape(($_GET['cardid']-10000000))."'" ); 或者 WHERE em.member_id = '?'", array($this->input->get('cardid'-10000000))); 两者都是正确的,但第二种方法更干净。在这两种方法上,您都不需要写引号。 $this->db->escape 已经添加了引号,您只需要编写 em.member_id = ? CodeIgniter 会自动设置引号ellislab.com/codeigniter/user-guide/database/queries.html以上是关于我如何防止使用codeigniter进行sql注入[重复]的主要内容,如果未能解决你的问题,请参考以下文章