开发者

How do i secure this PHP script?

问答 作者:

I'm worried about sql injection, so 开发者_Python百科how do i prevent it? I'm using this script but have had several people tell me its very insecure, if anyone can help by telling me how it would be great :).

source code:

if(isset($_POST['lastmsg']))
{
$lastmsg=$_POST['lastmsg'];
$result=mysql_query("SELECT * FROM updates WHERE item_id<'$lastmsg' ORDER BY item_id DESC LIMIT 16");
$count=mysql_num_rows($result);
while($row=mysql_fetch_array($result))
{
$msg_id=$row['item_id'];
$message=$row['item_content'];

Never, ever, put information from the user ($_POST or $_GET) directly into a query. If they are numbers, always convert them to integers first with (int)$var or intval($var); if they are strings, always escape them with mysql_real_escape_string().

Read http://us2.php.net/mysql_real_escape_string and use it. 

$lastmsg = intval($_POST['lastmsg']);

The best solution is migrating to mysqli_ or PDO and using prepared statements for your queries.

Make sure the magic_quotes_gpc directive is disabled in your PHP configuration (PHP.ini).

If lastmsg is a string and you are using mysql, do this:

$lastmsg = mysql_real_escape_string($_POST['lastmsg']);

If lastmsg is a string and your DBMS does not have a native escape function, do this:

$lastmsg = addslashes($_POST['lastmsg']);

If lastmsg should be a number, check for that instead and don't do any escaping. You can use function is_numeric() and then cast the numeric string to an integer using intval().

You can simply add this :

$lastmsg=addslashes($_POST['lastmsg']);

for a larger scale you can use a more robust solution here is the function you can use

function escape_value($value) {
    $magic_quotes_active = get_magic_quotes_gpc();
    $new_php = function_exists("mysql_real_escape_string");
    if ($new_php){
        if ($magic_quotes_active){
            $value = stripslashes($value);
            }
        $value = mysql_real_escape_string($value);
    } else {
        if(!$magic_quotes_active) { $value = addslashes($value); }
    }
    return trim($value);
}

mysql_real_escape_string is not always available so here is a work around

继续阅读:phpsecuritysql-injection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9