在之前提到當網頁程式的開發者如果不注意的話
會產生 SQL Injection 的問題
此在提供一些PHP程式開發者
要預防SQL Injection的方法
1.將錯誤訊息關閉,如此可以讓駭客無法利用錯誤訊息來試探你的資料庫欄位和名稱
2.當要寫入資料庫時,先用 mysql_real_escape_string() 函數過濾
之前的例子:
member_account = (使用者帳號)
member_password = (使用者密碼)
“select * from member where member_account=’ ” + member_account + ” ‘ and member_password=’ ” + member_password + “‘”;
現在如果
member_account = ’ or ’1′=’1
member_password = ’ or ’1′=’1
先用mysql_real_escape_string過濾
member_account = mysql_real_escape_string(member_account);
member_password = mysql_real_escape_string(member_password);
則此SQL字串變成
“select * from member where member_account=’ \‘ or\ ’1\′=\’1′ and member_password=’ \ ’ or\ ’1\′=\’1′ “;
如此此SQL Injection攻擊就會失效
Hello there I am so thrilled I found your web site, I really found you by accident, while I was searching on Aol for something else, Anyhow I am here now and would just like to say kudos for a remarkable post and a all round interesting blog (I also love the theme/design), I don抰 have time to read through it all at the minute but I have book-marked it and also added your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the awesome job.