" class="more">more 谢谢 :) 最佳答案 $-6ren">
gpt4 book ai didi

php - 我怎样才能保护这个 PHP 脚本?

转载 作者:太空宇宙 更新时间:2023-11-03 11:14:58 25 4
gpt4 key购买 nike

谁能就如何保护此 PHP 脚本免受 sql 注入(inject)提供任何建议:

 <?php
include("config.php");
if(isset($_POST['lastmsg']))
{
$lastmsg = mysqli_real_escape_string($_GET['lastmsg']);
$result=mysql_query("select * from messages where msg_id<'$lastmsg' order by msg_id desc limit 9");
$count=mysql_num_rows($result);
while($row=mysql_fetch_array($result))
{
$msg_id=$row['ms_gid'];
$message=$row['message'];
?>



<li>[
<?php echo $message; ?>
</li>


<?php
}


?>

<div id="more<?php echo $msg_id; ?>" class="morebox">
<a href="#" id="<?php echo $msg_id; ?>" class="more">more</a>
</div>

<?php
}
?>

谢谢 :)

最佳答案

$lastmsg = mysqli_real_escape_string($_GET['lastmsg']);

如果你有权访问 mysqli,你应该优先使用它而不是 mysql,因为它允许你将参数绑定(bind)到语句,从而绕过 SQL 注入(inject)攻击。程序风格的示例代码:

$link = mysqli_connect();
$stmt = mysqli_stmt_init($link);
mysqli_stmt_prepare($stmt, "select * from messages where msg_id < ? order by msg_id desc limit 9");
mysqli_stmt_bind_param($stmt, "s", $_GET['lastmsg']);
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
$count = mysqli_stmt_num_rows($stmt);

关于php - 我怎样才能保护这个 PHP 脚本?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5681366/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com