What’s the Right Way to Prevent SQL Injection in PHP Scripts?

防止SQL注入的最佳实践
最新推荐文章于 2025-11-27 11:57:21 发布
转载 最新推荐文章于 2025-11-27 11:57:21 发布 · 658 阅读 · 0
文章标签:

#php #sql #sql injection #security #prevention

本文详细阐述了如何在PHP脚本中预防SQL注入攻击,并对比了传统的输入验证方法与使用参数化查询的方法,强调后者是更为安全的选择。

https://blogs.msdn.microsoft.com/brian_swan/2010/03/04/whats-the-right-way-to-prevent-sql-injection-in-php-scripts/

How to prevent SQL injection in PHP scripts is probably a topic that doesn’t need anything more written about it. It is pretty easy to find blog posts, documentation, videos, etc.  that explain the importance of preventing SQL injection and suggestions for preventing it. In fact, I’ve already written a post on this topic as a guest writer on the SQL Server Driver for PHP team blog. However, it is important to have fresh information for new Web developers and I don’t necessarily agree with some of the most common suggestions for preventing SQL injection. (Besides, I hear that this is the Month of PHP Security.) So, this will be yet another post about preventing SQL injection, but I will offer my 2 cents about what I think is the right way to prevent it.


 


What is SQL Injection?


SQL injection (or a SQL injection attack) occurs when a user provides SQL code as user input for a Web page, and the SQL code is then executed in the database. For example, consider the following login script:



<form method=”post” action=”injection.php” enctype=”multipart/form-data” >
    Username:<input type=”text” name=”Username” id=”Username”/></br>
    Password:<input type=”text” name=”Password” id=”Password”/></br>
    <input type=”submit” name=”submit” value=”Submit” />
</form>
<?php
$username = $_POST[‘Username’];
$password = $_POST[‘Password’];


$server = “MyServer\sqlexpress”;
$options = array(“Database”=>”ExampleDB”, “UID”=>”MyUID”, “PWD”=>”MyPWD”);
$conn = sqlsrv_connect($server, $options);
$sql = “SELECT * FROM UserTbl WHERE Username = ‘$username’ and Password = ‘$password'”;
$stmt = sqlsrv_query($conn, $sql);
if(sqlsrv_has_rows($stmt))
{
    echo “Welcome.”;
}
else
{
    echo “Invalid password.”;
}
?>


Now consider the form with the following inputs:



    image


Now the statement that is executed in the database is the following:



SELECT * FROM UserTbl WHERE Username= ‘Brian’ and Password= ”or 1 = 1–‘


Because 1=1 is always true, this query will return all users. (Note that the last quotation is commented out.) So, in the script above, sqlsrv_has_rows is true, and access is granted.


SQL injection is possible here because user input is concatenated with the executed SQL code. Scripts should not be written in this way…ever. The example above only scratches the surface of what can be done with SQL injection – much more malicious attacks are possible.


 


A Common Attempt at Prevention


The most common suggestion I’ve seen for preventing SQL injection involves trying to remove or escape any possible SQL code from user input before concatenating it with the SQL code to be executed. There are several PHP functions (and functions in PHP extensions) that can be used to do this, but all of them are potentially vulnerable. If you concatenate user input with SQL code that will be executed in the database, you run the risk of a SQL injection attack no matter how much parsing and escaping of the input you do. How can you be 100% sure that you’ve thought of all possibilities that a creative hacker might think of? How can you be sure that you’ve taken the appropriate measures to mitigate an attack? How can you be sure that the functions you are using to remove or escape dangerous user input aren’t buggy?


Now, having posed those questions, can I actually come up with an attack that gets by the best of the “remove and escape” strategies? No. When done carefully, this strategy is pretty good at preventing SQL injection. However, it still allows for the possibility of some clever hacker finding a way to inject SQL, even if it is a remote possibility. Why take that chance when an easier, safer alternative exists?  


 


The Right Way to Prevent SQL Injection


The right way to prevent SQL injection is by using parameterized queries. This means defining the SQL code that is to be executed with placeholders for parameter values, programmatically adding the parameter values, then executing the query. Doing this allows the server to create an execution plan for the query, which prevents any “injected” SQL from being executed. An example will help in explaining this. Let’s use the same script, but I’ll define the SQL query with parameter placeholders:



$sql = “SELECT * FROM UserTbl WHERE Username = ? and Password = ?”;


Now, I’ll define an array that holds the parameter values:



$params = array($_POST[‘Username’], $_POST[‘Password’]);


When I execute the query, I pass the $params array as an argument:



$stmt = sqlsrv_query($conn, $sql, $params);


When sqlsrv_query is called, an execution plan is created on the server before the query is executed. The plan only allows our original query to be executed. Parameter values (even if they are injected SQL) won’t be executed because they are not part of the plan. So, if I submit a password like I did in the example above (‘or 1=1–), it will be treated as user input, not SQL code. In other words, the query will look for a user with this password instead of executing unexpected SQL code.


The script above, modified to prevent SQL injection, looks like this:



<form method=”post” action=”injection.php” enctype=”multipart/form-data” >
    Username:<input type=”text” name=”Username” id=”Username”/></br>
    Password:<input type=”text” name=”Password” id=”Password”/></br>
    <input type=”submit” name=”submit” value=”Submit” />
</form>
<?php
$params = array($_POST[‘Username’], $_POST[‘Password’]);


$server = “MyServer\sqlexpress”;
$options = array(“Database”=>”ExampleDB”, “UID”=>”MyUID”, “PWD”=>”MyPWD”);
$conn = sqlsrv_connect($server, $options);
$sql = “SELECT * FROM UserTbl WHERE Username = ? and Password = ?”;
$stmt = sqlsrv_query($conn, $sql, $params);
if(sqlsrv_has_rows($stmt))
{
    echo “Welcome.”;
}
else
{
    echo “Invalid password.”;
}
?>



Note: If you expect to execute a query multiple times with different parameter values, use the sqlsrv_prepare and sqlsrv_execute functions. The sqlsrv_prepare function creates an execution plan on the server once and the sqlsrv_execute function executes the query with different parameter values each time it is called.


I’m using SQL Server Express and the sqlsrv API to demonstrate parameterized queries here, but this technique can (and should) be applied regardless of the database and extension being used.


OK…that’s my 2 cents about preventing SQL injection. I’d certainly be interested in other opinions about the best way to prevent SQL injection…let me know what you think.

Text2SQL基座模型选择的实战教程(持续更新)
herosunly的博客
06-21 23万+
本文主要介绍了Text2SQL基座模型选择的实战教程(持续更新),希望对学习大语言模型的同学们有所帮助。 文章目录 1. 前言 2. Text2SQL基座模型的发展史 3. 模型选择实战 3.1 prompt模板 3.2 下载模型与部署API 3.3 实战代码 4. 补充说明
关于React报Too many re-renders. React limits the number of renders to prevent an infinite错误的解决方案
xiangzhihong8的专栏
08-26 7938
今天在开发RN程序的时候,报了一个Too many re-renders. React limits the number of renders to prevent an infinite。刚开始怀疑是页面渲染的内容太多,后来将其他元素都删除,结果还是报这个错误。于是就想到了重复渲染的问题,比如下面的写法就会造成重复渲染: onClick={setTime(false)} 需要改成下面的方式: onClick={() => { setTime(false); }} 因为上面的代码会造成代
实用:防止SQL、XSS等注入攻击的Filter
johennes的专栏
08-26 4952
本文主要原理是转换过滤或拦截请求中的非法字符 FILTER代码: XssFilter.java /** * {@link CharLimitFilter} * * 拦截防止XSS注入 * * @author Administrator */ public class XssFilter implements Filter { /* (non-Javadoc) * @se
java filter 防止sql注入攻击
专注
07-12 3011
原理,过滤所有请求中含有非法的字符,例如:, & 某个网站的登入验证的SQL查询代码为       strSQL = "SELECT * FROM users WHERE (name = '" + userName + "') and (pw = '"+ passWord +"');" 恶意填入       userName = "' OR '1'='1"
MySQL and SQL Injection
u013571243的专栏
02-03 455
If you take user input through a webpage and insert it into a MySQL database, there's a chance that you have left yourself wide open for a security issue known as SQL Injection. This lesson will teach
Do Stored Procedures Protect Against SQL Injection?
happygogf的专栏
03-04 624
https://blogs.msdn.microsoft.com/brian_swan/2011/02/16/do-stored-procedures-protect-against-sql-injection/ When I’ve asked people about their strategies for preventing SQL injection, one response
Managing DbContext the right way with Entity Framework 6: an in-depth guide
missautumn的专栏
03-08 3046
Entity Framework 6 & DbContextScope VS UnitOfWork 的深度分析好文
Managing DbContext the right way with Entity Framework 6: an in-depth guide by mehdime
weixin_30911809的博客
02-10 841
UPDATE:the source code forDbContextScopeis now available on GitHub:DbContextScope on GitHub. A bit of context This isn't the first post that has been written about managing theDbContextlifetim...
sql 注入 预防_SQL注入:检测和预防
culuo4781的博客
07-18 2399
sql 注入 预防 摘要 (Summary) With an understanding of what SQL injection is and why it is important to an organization, we can shift into a discussion of how to prevent it. We ultimately want systems w...
How to Create a Secure Login Script in PHP and MySQL
wys839348916的博客
11-12 2553
Eight Parts:Configure Your ServerConfigure the MySQL DatabaseCreate Database Connection PageCreate the PHP FunctionsCreate Processing PagesCreate Javascript FilesCreate HTML PagesProtect
sql注入攻击属于什么攻击_sql注入攻击已经很老了,但是仍然很相关,这就是为什么图表...
weixin_26751365的博客
10-11 928
sql注入攻击属于什么攻击Written by Johnathan Azaria and Ori Nakar由Johnathan Azaria和Ori Nakar撰写 We’re living in the Golden Age of data. Some companies analyze it to better themselves, others trade it for profit, ...
advanced_sql_injection.rar_sql injection
09-24
how to prevent sql injection attack
Dropout:A Simple Way to Prevent Neural Networks from Overfitting
qq_25379821的博客
08-21 2296
这是一篇深度学习领域引用量目前达到1779的文章,在学习深度学习必读文章之列,下面理解下作者们的主要思想
PHP在微服务中的配置中心
2509_93947720的博客
11-26 254
在微服务架构里,配置中心相当于所有服务的"指挥中心",把散落在各处的配置项统一收拢管理。而配置中心能让所有服务实时获取最新配置,就像给每个服务装了遥控器,改个参数值都不用重启服务。毕竟PHP天生适合快速迭代,加上配置中心的动态配置能力,简直是为业务频繁变动的场景量身定制的。不过要提醒的是,配置项命名必须规范。我们初期踩过坑,不同团队用不同的命名风格,有的用驼峰有的用下划线,查找配置时特别混乱。说到具体实践,我们团队现在把配置分为三类:静态配置写在代码里,环境配置交给配置中心,动态配置通过管理界面实时调整。
MySQL 教程(超详细,零基础可学、第一篇)
最新发布
2509_94101649的博客
11-27 172
MySQL 是一个关系型数据库管理系统,由瑞典 MySQL AB 公司开发,目前属于 Oracle 公司。MySQL 是一种关联数据库管理系统,关联数据库将数据保存在不同的表中,而不是将所有数据放在一个大仓库内,这样就增加了速度并提高了灵活性。MySQL 是开源的,目前隶属于 Oracle 旗下产品。MySQL 支持大型的数据库。可以处理拥有上千万条记录的大型数据库。MySQL 使用标准的 SQL 数据语言形式。MySQL 可以运行于多个系统上,并且支持多种语言。
6.Nginx服务器
2301_77138478的博客
11-26 381
摘要:本文介绍了Nginx服务器的安装与配置方法,重点讲解了虚拟主机和SSL/TLS配置。主要内容包括:1) 通过yum安装Nginx并启动服务;2) 基于名称和端口的虚拟主机配置,实现多站点服务;3) 使用OpenSSL生成自签名证书,配置HTTPS站点;4) 设置HTTP到HTTPS的重定向。文中提供了详细的命令操作和测试步骤,并配有配置截图和测试结果展示,帮助用户快速掌握Nginx的基本配置方法。
【HTML+CSS】使用HTML与后端技术连接数据库
2509_94007310的博客
11-24 826
HTML负责构建网页的骨架,提供用户交互的表单等元素。用户通过表单输入数据,并通过表单的提交(submit)事件将数据发送到后端。
在Linux系统上使用nmcli命令配置各种网络(有线、无线、vlan、vxlan、路由、网桥等)
2509_94201400的博客
11-25 763
本文所有内容都由我亲自试验并总结,如果有朋友转载,请标明出处毕竟网上对于NetworkManager工具的各种解释都过于片面,也没有一个比较全面的示例,所以在本文上我还是耗费了很多的精力和时间的这其中当属无线网络的AP模式开启和两个ubuntu系统配置Vxlan上最耗费时间因为是虚拟机,会遇到各种各样的不适配或者其他bug,都需要一样找出问题来目前这里暂时只展现这些最常用的配置示例,目的是为了让大家在以后面对各式各样的Linux系统时能够更便捷的进行统一的网络配置!!
PHP True Async RFC 被拒——原生异步离 PHP 还有多远?
qq_31470439的博客
11-26 264
PHP原生异步编程(RFC)被否决,9票反对0票通过。该RFC旨在为PHP核心添加真正的异步能力,但核心开发者并非反对异步本身,而是质疑具体实现方式,主要问题包括:命名规范不符(PHP应使用蛇形命名而非驼峰)、异常层级设计不当,以及全局调度器设计存在潜在风险。尽管技术实现已相对成熟(基于Fibers和libUV),但社区更重视API设计的严谨性。这反映了PHP对稳定性的重视,而非拒绝异步功能。未来可能通过分阶段实现、改进API设计并扩大测试来推进该特性。虽然进程放缓,但PHP向现代化语言演进的趋势不会改变。
IDEA中出现Would you like to install shellcheck to verify you shell scripts?
10-14
<think>根据用户的问题,用户在使用IDEA时遇到了一个提示:“Would you like to install shellcheck to verify your shell scripts?”,并希望找到解决办法。 分析:ShellCheck是一个用于静态分析Shell脚本的工具,可以检查脚本中的语法错误和常见问题。IDEA(特别是IntelliJ IDEA)集成了对ShellCheck的支持,当用户打开Shell脚本文件时,可能会提示安装ShellCheck以进行脚本验证。 解决办法: 1. 如果用户希望使用ShellCheck,可以直接在IDEA的提示中点击“Install”进行安装。安装过程通常由IDEA自动完成。 2. 如果用户没有看到提示或想手动安装,可以按照以下步骤操作: a. 确保系统上已经安装了ShellCheck。如果没有,需要先安装ShellCheck。 对于不同的操作系统,安装方法不同: - 在Debian/Ubuntu上:`sudo apt install shellcheck` - 在Fedora上:`sudo dnf install shellcheck` - 在macOS上(使用Homebrew):`brew install shellcheck` - 在Windows上:可以通过scoop安装(`scoop install shellcheck`)或者从官方下载二进制文件。 b. 在IDEA中配置ShellCheck: 打开设置(Settings) -> 选择“Languages & Frameworks” -> 选择“Shell Script” -> 在“Inspections”中确保“ShellCheck”已启用,并指定ShellCheck的安装路径(如果IDEA没有自动检测到)。 3. 如果用户不想使用ShellCheck,可以选择忽略或禁用该提示: - 在提示出现时,选择“Don't ask again”来避免再次提示。 - 在设置中禁用ShellCheck检查:打开设置 -> 选择“Editor” -> “Inspections” -> 在搜索框中输入“ShellCheck” -> 取消勾选。 注意:用户提供的引用内容中,引用[1]提到了bash别名的写法,引用[2]是一个Shell脚本的示例,引用[3]是一段关于控制使用的文字,引用[4]是关于Spring Boot项目结构的说明。这些引用与当前问题关联性不大,但引用[2]中的Shell脚本示例提醒我们,编写Shell脚本时可能会需要静态检查工具,因此安装ShellCheck是有益的。 为了帮助用户更好地使用Shell脚本开发,建议安装ShellCheck,因为它可以帮助发现脚本中的潜在问题。 生成相关问题: 考虑到用户可能对ShellCheck的使用和配置有进一步的问题,可以生成以下相关问题: §§相关问题§§ 1. 如何配置IDEA以使用已安装的ShellCheck? 2. ShellCheck能检查哪些常见的Shell脚本错误? 3. 除了ShellCheck,IDEA还有哪些支持Shell脚本的功能? 4. 如何在其他编辑器(如VSCode)中使用ShellCheck? </think>### 解决IDEA提示“Would you like to install shellcheck to verify your shell scripts?”的方法 该提示表示IDEA检测到您正在编辑Shell脚本(如`.sh`文件),并建议安装**ShellCheck**——一个开源的Shell脚本静态分析工具。以下是完整解决方案: #### 解决方法 1. **直接安装ShellCheck(推荐)** 在弹出提示时点击 **`Install`**,IDEA会自动下载并配置ShellCheck[^2]。安装后: - 脚本中的语法错误会实时显示波浪线提示 - 鼠标悬停可查看错误详情(如未引用的变量、语法错误等) - 支持自动修复部分问题 2. **手动安装(若自动安装失败)** ```bash # Linux (Debian/Ubuntu) sudo apt install shellcheck # macOS (Homebrew) brew install shellcheck # Windows (Scoop) scoop install shellcheck ``` 安装后在IDEA中配置路径: `Settings → Languages & Frameworks → Shell Script → ShellCheck path` → 指定安装路径 3. **禁用提示(不推荐)** 若无需此功能: - 点击提示中的 **`Don't ask again`** - 或在设置中关闭: `Settings → Editor → Inspections → Shell Script → 取消勾选ShellCheck` #### 注意事项 1. **ShellCheck的作用** 可检测脚本中的: - 语法错误(如缺少空格 `[ "${yn}"=="Y" ]` → 应为 `[ "${yn}" == "Y" ]`) - 未引用的变量(如 `rm $DIR/*` 应改为 `rm "$DIR"/*`) - 安全风险(如 `curl http://x.com | bash`) 2. **与IDEA集成的优势** 相比命令行使用,IDEA集成提供: - 实时错误高亮 - 快速修复建议(Alt+Enter) - 支持 `.sh`、`.bash`、`.zsh` 等文件 #### 验证是否生效 创建测试脚本: ```bash #!/bin/bash # test.sh file_path="/tmp" rm $file_path/* # 触发SC2086警告(未引用变量) ``` 生效后IDEA会在 `$file_path` 下方显示黄色波浪线,提示:**`Double quote to prevent globbing and word splitting`**。 > **提示**:ShellCheck特别适合检查条件语句(如`[ ]`)、变量引用等常见错误[^2],能显著提升Shell脚本的健壮性。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值