开发者

Am I safe from SQL-injections?

I'm using a simple cms as backend to my website where I'm able to update news and such. I want to be safe from SQL-injections, so I'm wondering if this code is considered to be safe or if there's something I can do to make it safer:

if($_POST) {
    if(isset($_POST['title']) and (isset($_POST['content']) and     ($_POST['added']))) {
        $title = "'".mysql_real_escape_string($_POST['title'])."'";
        $content = "'".mysql_real_escape_string($_POST['content'])."'";
        $added = "'".mysql_real_escape_string($_POST['added'])."'";

        if(isset($_POST['id']) && $_POST['id']!=''){
            $result = m开发者_StackOverflow社区ysql_query("UPDATE news SET title = ".$title.",     added =".$added.", content = ".$content."  WHERE id = ".$_POST['id']);
            $msg = "News Updated Successfully";
        }else{
            $result = mysql_query("INSERT INTO news (title, content, added) values($title, $content, $added)") or die("err0r");
            $msg = "News Added Successfully";
        }
    }

Thanks and have a great day!


You are not sanitizing $_POST['id'].

Do an intval() on it, or (better) refuse processing altogether if the ID is not an integer (assuming ID is an int field).

if (!is_numeric($_POST['id'])
 die ("Invalid ID");


One thing you should do is making shure the ID is integer (which is probably needs to be):

$id = (int)$_POST['id'];


if there's something I can do to make it safer

Yes, you can use the PDO interface with prepared statements, so that the query is built separately from the data (which is bound later) and no kind of injection is ever possible.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜