开发者

A reasonable level of security vs. sql injection?

I'm getting ready to launch a site - the first one that I coded from the ground up. It's going to be low traffic, and low-profile (probably won't get spidered by search engines.) I'm using PEAR's DB library and its query() method's placeholders to store user data, as follows:

<?php
require_once('db.inc');
$firstname = $_POST['firstname']; 
$lastname = $_POST['lastname'];
$rsvp = $_POST['rsvp'];
$mail = $_POST['email'];
$phone = $_POST['phone'];
$lodging = $_POST['lodging'];
$extra = $_POST['extra'];
$msg = $_POST['msg'];
$password = $_POST['password'];
$id = $_POST['id'];
$username = $firstname . ' ' . $lastname;

if (isset($id)) {
  $sql = $conn->query("UPDATE guest SET username = ?, mail = ?, phone = ?, lodging = ?, extra = ?, msg = ?, role = ?, password = ?, mailed = ? WHERE id = ?", array($username, $mail, $phone, $lodging,$extra, $msg, 2, $password, 0, $id)); //TODO!! set mailed to 1 in production
  } else {
  $sql = $conn->query('INSERT INTO guest (username, password, rsvpstatus, role, mail, phone, lodging, extra, msg, mailed)VALUES (?,?,?,?,?,?,?,?)', array($username, $password, $rsvp,  2, $mail, $phone, $lodging, $extra, $msg, 1));
  }

开发者_开发问答 header('location:main.php');

Does this seem like a reasonable level of protection vs sql injection?


Placeholders and binding like you are doing are exactly the defense against sql injection. As long as you never directly interpolate any user input into the sql, you're fine.


You can use the mysql_real_escape_string function in PHP (view function in php.net)

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query()

Example:

$secure_firstname = mysql_real_escape_string( $_POST['firstname'] );
$secure_lastname = mysql_real_escape_string( $_POST['lastname'] );


So long as that library quotes and escapes all of its arguments, it will be fine.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜