php - 保护 Joomla SQL 连接

Question

我在我的论坛上使用这段代码来“检查重复的 ip”:

<?php 

    $db = JFactory::getDBO();

    $pid = $forum['Post']['topic_id'];

    $ipaddress = $forum['User']['ipaddress'];

    $query = 'SELECT count(ipaddress) FROM #__forum_comments WHERE ipaddress = "' . $ipaddress . '" AND pid = ' . (int) $pid;

    $count_ip = $db->setQuery($query)->loadResult();

    if($count_ip >= 2){
    echo 'Your ip repeated';
    }

?>

我问过编写这段代码的开发人员有关 SQL 注入(inject)的保护，他们是这样说的:

The native Joomla method is JFactory::getDBO() which is the right way to do it. You can try using the escape method to see if that works: $ipaddress = $db->escape($forum['User']['ipaddress']); There's no need to escape the $pid because casting it to an integer is enough. In fact, since both values come straight from the database it's pretty safe to assume that there cannot be any sort of mysql injection here even without escaping.

我需要做这样的事情吗？

//escaping to prevent sql injection
$pid = mysqli_real_escape_string($mysqli, $review['Review']['listing_id']);
$ipaddress = mysqli_real_escape_string($mysqli, $review['User']['ipaddress']);

Answer 1

你应该这样做:

$jinput = JFactory::getApplication()->input;
$pid = $jinput->get('pid', '', 'integer');
$ip =  $jinput->get('ip', '', 'string');

然后您可以运行您的查询。