php是怎样防止注入的?
新人提问:比如get或post提交id、username、content,如何防止注入呢?下面这段代码,在注入方面安全吗?
$db = mysql_connect('localhost','root','123456');
$query = "insert into {$comments_table} values (null,'{$username}','{$content}')";
$result = mysql_query($query, $db);
if ($result){
echo '提交成功';
}else{
echo '发生错误';
}
新人提问:比如get或post提交id、username、content,如何防止注入呢?下面这段代码,在注入方面安全吗?
$db = mysql_connect('localhost','root','123456');
$query = "insert into {$comments_table} values (null,'{$username}','{$content}')";
$result = mysql_query($query, $db);
if ($result){
echo '提交成功';
}else{
echo '发生错误';
}
最好写在外部只读的php或者inc文件里,然后用require_once加载到当前页。
http://topic.csdn.net/u/20090609/15/288b412e-bf21-4066-bada-b9f3f8550e1a.html
http://www.jb51.net/article/14120.htm
define('DB_USERNAME','root');
define('DB_PASSWORD','123456');$db = mysql_connect('DB_HOST','DB_USERNAME','DB_PASSWORD');$comments_table = preg_replace("/[^\w]/",'',$comments_table);
$username = preg_replace("/[^\w]/",'',$username);
// 用正则表达式 替换 非 a-zA-Z0-9_ 之外的任何字符$content = htmlspecialchars ($content, ENT_QUOTES);
// 用 htmlspecialchars 函数将所有特殊字符内容进行转义$query = "insert into {$comments_table} values (null,'{$username}','{$content}')";$result = mysql_query($query, $db);
if ($result)
{
echo '提交成功';
}
else
{
echo '发生错误';
}
* 数据库插入语句.$table为表名,$keyvalue为带key的数组,数组的key为字段,数组的value为插入的值
* 函数自动为插入字符串值加上单引号
*/
function mysql_insert($table,$keyvalue){
$key=implode(',',array_keys($keyvalue));
foreach($keyvalue as $tempkey=>$val){
if(is_string($val))$keyvalue[$tempkey]="'$val'";
}
$value=implode(',',$keyvalue);
$sql="insert into $table ($key) values ($value)";
mysql_query($sql) or die ("insert error");
}以下是实际应用,添加产品:
if($_POST['submit']){
zlsky_post_trim();
$sql=new MySql();
$arr=array("product_spec"=>"$_POST[spec]","product_candi"=>"$_POST[producing_area]","product_price"=>$_POST[spread],"product_title"=>"$_POST[producttitle]","product_kind"=>"$_POST[productkind]","product_visible"=>"$_POST[visible]","product_content"=>"$_POST[gcontent]");
if (is_uploaded_file($_FILES["upfile"][tmp_name])){
include("inc/upfileclass.php");
$upfile=new upfile();
$upfile->upfile();
$arr['product_img']="$upfile->fname";
}
if($sql->mysql_insert('product',$arr)){
alert_msg("产品添加成功",1);
}else{
alert_msg("产品添加失败",1);
}
}
刚刚看了一段代码,给大家分析一下。是否存在注入的可能?