PHP SQL Injection 攻擊防護

在之前提到當網頁程式的開發者如果不注意的話

會產生  SQL Injection 的問題

此在提供一些PHP程式開發者

要預防SQL Injection的方法

1.將錯誤訊息關閉,如此可以讓駭客無法利用錯誤訊息來試探你的資料庫欄位和名稱

2.當要寫入資料庫時,先用 mysql_real_escape_string() 函數過濾

之前的例子:

member_account  = (使用者帳號)

member_password = (使用者密碼)

“select * from member where member_account=’ ” + member_account + ” ‘ and member_password=’ ” + member_password + “‘”;

現在如果

member_account   =  ’ or ’1′=’1

member_password  =  ’ or ’1′=’1

先用mysql_real_escape_string過濾

member_account   = mysql_real_escape_string(member_account);

member_password  =  mysql_real_escape_string(member_password);

則此SQL字串變成

“select * from member where member_account=’ \‘ or\ ’1\′=\’1′ and member_password=’ \ ’ or\ ’1\′=\’1′ “;

如此此SQL Injection攻擊就會失效

1 則迴響於《PHP SQL Injection 攻擊防護

  1. Hello there I am so thrilled I found your web site, I really found you by accident, while I was searching on Aol for something else, Anyhow I am here now and would just like to say kudos for a remarkable post and a all round interesting blog (I also love the theme/design), I don抰 have time to read through it all at the minute but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the awesome job.

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *