<ruby id="bdb3f"></ruby>

    <p id="bdb3f"><cite id="bdb3f"></cite></p>

      <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
        <p id="bdb3f"><cite id="bdb3f"></cite></p>

          <pre id="bdb3f"></pre>
          <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

          <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
          <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

          <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                <ruby id="bdb3f"></ruby>

                ## SQL注入 SQL注入是一種惡意攻擊,用戶利用在表單字段輸入SQL語句的方式來影響正常的SQL執行。還有一種是通過system()或exec()命令注入的,它具有相同的SQL注入機制,但只針對shell命令。 ```php $username = $_POST['username']; $query = "select * from auth where username = '".$username."'"; echo $query; $db = new mysqli('localhost', 'demo', '‘demo', 'demodemo'); $result = $db->query($query); if ($result && $result->num_rows) { echo "<br />Logged in successfully"; } else { echo "<br />Login failed"; } ``` 上面的代碼,在第一行沒有過濾或轉義用戶輸入的值(`$_POST['username']`)。因此查詢可能會失敗,甚至會損壞數據庫,這要看$username是否包含變換你的SQL語句到別的東西上。 **防止SQL注入** * 1),使用mysql_real_escape_string()過濾數據 * 2),手動檢查每一數據是否為正確的數據類型 * 3),使用預處理語句并綁定變量 * 4),使用準備好的預處理語句 * 5),分離數據和SQL邏輯 * 6),預處理語句將自動過濾(如:轉義) * 7),把它作為一個編碼規范,可以幫助團隊里的新人避免遇到以上問題 ```php $query = 'select name, district from city where countrycode=?'; if ($stmt = $db->prepare($query) ) { $countrycode = 'hk'; $stmt->bind_param("s", $countrycode); $stmt->execute(); $stmt->bind_result($name, $district); while ( $stmt ($stmt->fetch() ){ echo $name.', '.$district; echo '<br />'; } $stmt->close(); } ```
                  <ruby id="bdb3f"></ruby>

                  <p id="bdb3f"><cite id="bdb3f"></cite></p>

                    <p id="bdb3f"><cite id="bdb3f"><th id="bdb3f"></th></cite></p><p id="bdb3f"></p>
                      <p id="bdb3f"><cite id="bdb3f"></cite></p>

                        <pre id="bdb3f"></pre>
                        <pre id="bdb3f"><del id="bdb3f"><thead id="bdb3f"></thead></del></pre>

                        <ruby id="bdb3f"><mark id="bdb3f"></mark></ruby><ruby id="bdb3f"></ruby>
                        <pre id="bdb3f"><pre id="bdb3f"><mark id="bdb3f"></mark></pre></pre><output id="bdb3f"></output><p id="bdb3f"></p><p id="bdb3f"></p>

                        <pre id="bdb3f"><del id="bdb3f"><progress id="bdb3f"></progress></del></pre>

                              <ruby id="bdb3f"></ruby>

                              哎呀哎呀视频在线观看