SQL 注入

SQL注入緣由

SQL注入的緣由是開發人員沒有對數據進行嚴格的篩選,過濾以及書寫了不規範的sql語句

舉例

已經建立一張user表，存在一條數據username = 'cyx' password = '123'
在sql語句中對於\*和#均可以將後面的語句給註釋掉

<?php
 $host     = "127.0.0.1";
 $username = "root";
 $password = 123;
 $database = "game";
 $port     = 3306;
 $mysqli = new mysqli($host, $username, $password, $database,$port);
 if ($mysqli->connect_error) {
                die ("Connection error :".$mysqli->connect_error);
    }

 $username = "'cyx'#";//經過sql特性實現注入
 //$username = "'cyx' or 1=1";//經過邏輯實現簡單注入
 $password = "12";
 $sql = "select * from user where username = $username and password=$password";//不規範的sql語句
 echo $sql;
 $res = $mysqli->query($sql);
 $mysqli->close();
 var_dump($res->num_rows);

解決辦法 prepareStatement+Bind_Variable

1. 什麼是prepareStatement？
   PrepareStatement是預編譯的sql語句對象，sql語句被預編譯並保存在對象中。被封裝的sql語句表明某一類操做，語句中能夠包含動態參數「?」，在執行時能夠爲「?」動態設置參數值。

2. 舉例

<?php
 $host     = "127.0.0.1";
 $username = "root";
 $password = 123;
 $database = "game";
 $port     = 3306;
 $mysqli = new mysqli($host, $username, $password, $database,$port);
 if ($mysqli->connect_error) {
                die ("Connection error :".$mysqli->connect_error);
    }

 $username = "'cyx";
 $password = "123";
 $sql = "select * from user where username = ? and password = ?";//綁定變量
 echo $sql;
 $res = $mysqli->prepare($sql);
 $res->bind_param("si", $username, $password);
 $res->execute();
 $id ="";
 $username = "";
 $password = "";
 $res->bind_result($id,$username,$password);
//顯示綁定結果的變量 
while($res->fetch()){
echo $id."--".$username."--".$password;//輸出 1-cyx-123
}
//關閉數據庫的連接 
$mysqli->close();