Mysql数据库安全性问题【防注入】

一、SQL注入实例

后台的插入语句代码：

$unsafe_variable = $_POST['user_input'];   mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')");  

当POST的内容为：

value'); DROP TABLE table;--

以上的整个SQL查询语句变成：

INSERT INTO `table` (`column`) VALUES('value'); DROP TABLE table;--')  

---

二、防止SQL注入措施

1.使用预处理语句和参数化查询。（‘Use prepared statements and parameterized queries.’）
SQL语句和查询的参数分别发送给数据库服务器进行解析。这种方式有2种实现：
（1）使用PDO（PHP data object）

$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');  $stmt->execute(array('name' => $name));  foreach ($stmt as $row) {      // do something with $row  }  

（2）使用MySQLi

$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');  $stmt->bind_param('s', $name);  $stmt->execute();  $result = $stmt->get_result();  while ($row = $result->fetch_assoc()) {      // do something with $row  }  

2.对查询语句进行转义（最常见的方式）

$unsafe_variable = $_POST["user-input"];  $safe_variable = mysql_real_escape_string($unsafe_variable);  mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");  

$mysqli = new mysqli("server", "username", "password", "database_name");  // TODO - Check that connection was successful.  $unsafe_variable = $_POST["user-input"];  $stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");  // TODO check that $stmt creation succeeded  // "s" means the database expects a string  $stmt->bind_param("s", $unsafe_variable);  $stmt->execute();  $stmt->close();  $mysqli->close();  

3.限制引入的参数

$orders  = array("name","price","qty"); //field names  $key     = array_search($_GET['sort'],$orders)); // see if we have such a name  $orderby = $orders[$key]; //if not, first one will be set automatically. smart enuf :)  $query   = "SELECT * FROM `table` ORDER BY $orderby"; //value is safe  

4.对引入参数进行编码

SELECT password FROM users WHERE name = 'root'            --普通方式  SELECT password FROM users WHERE name = 0x726f6f74        --防止注入  SELECT password FROM users WHERE name = UNHEX('726f6f74') --防止注入  set @INPUT =  hex("%实验%");  select * from login where reset_passwd_question like unhex(@INPUT) ;  

有一些讨论意见,所以我最后想弄清楚。这两种方法非常相似,但它们在某些方面有点不同:
x前缀只能用于数据列如char、varchar、文本块,二进制,等等。
其使用也有点复杂,如果你要插入一个空字符串。你必须完全替代”,或者你会得到一个错误。
任何列工作;您不必担心空字符串。

参考stackoverflow：http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php