PHP | 搜索攻击的用户和漏洞[重复]
This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
I am using MySQLi to prevent any further attacks to my website. I am using PHP 5.6.16, MySQL version of: 5.7.9, and using WAMP
I'm encountering the following error when searching for the user with some weird characters, like adding a ') character in the search box.
MySQL error # 1064 and SQLi vulnerability
How can I sanitize the text box input and prevent any weird or unrecognized characters to be searched?
Screenshot:
Codes:
<?php
# Essential files, please don't erase it!
require_once("../functions.php");
require_once("../db-const.php");
session_start();
?>
<html>
<head>
<script src="script.js" type="text/javascript"></script><!-- put it on user area pages -->
</head>
<body>
<h1> View Profile </h1>
<hr />
<?php
if (logged_in() == false) {
echo "<script> window.alert(\"Please login first!\"); </script>";
redirect_to("login.php");
} else {
if (isset($_GET['username']) && $_GET['username'] != "") {
$username = $_GET['username'];
} else {
$username = $_SESSION['username'];
}
## connect mysql server
$mysqli = new mysqli(localhost, root, "", loginsecure);
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
## query database
# fetch data from mysql database
$sql = "SELECT * FROM users WHERE username ='".$username."' LIMIT 1";
if ($result = $mysqli->query($sql)) {
$user = $result->fetch_array();
} else {
echo "<p>MySQL error no {$mysqli->errno} : {$mysqli->error}</p>";
exit();
}
if ($result->num_rows == 1) {
# calculating online status
if (time() - $user['status'] <= (5*200)) { // 300 seconds = 5 minutes timeout
$status = "Yes";
} else {
$status = "No";
}
# echo the user profile data
echo "<title> View Profile of: {$user['username']} </title>";
echo " Account Searcher: <br>
<form action=\"?username=\" method=\"get\">
Unique ID: <input type=\"text\" name=\"username\" placeholder=\"Searching for user: {$_GET['username']}\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "Unique ID: {$user['id']}
<br>Username: {$user['username']}
<br>First Name: {$user['first_name']}
<br>Last Name: {$user['last_name']}
<br>Email: {$user['email']}
<br>Online? $status
<br>";
} else { // If user doesn't exists - trigger this event
echo " Account Searcher: <br>
<form action=\"\" method=\"get\">
Username: <input type=\"text\" name=\"username\" placeholder=\"User not found!\">
<input type=\"submit\" value=\"Search\">
</form><hr>
";
echo "<title> User doesn't exists! | Prospekt </title> <p><b>Error:</b> User doesn't exist! Please register first!</p>";
}
}
// showing the login & register or logout link
if (logged_in() == true) {
echo '<a href="../logout.php">Log Out</a> | <a href="../home.php"> Go to Home </a>';
} else {
echo '<a href="../login.php">Login</a> | <a href="register.php">Register</a>';
}
?>
<hr />
</body>
</html>
</div>
You are sending the values directly into the database query before validating them which may cause dangers.To prevent sql injections there are inbuilt php functions like mysqli_real_escape_string(). being that said a complete better solution is using Php prepared statements with PDO..
In your code: when you are taking some data from user either from get or post variables do this
<?php
$uname=$_GET['username'];
//now validate
$username=mysqli_real_escape_string($conn,htmlspecialchars($uname));
//Now username is somewhat protected.so now use it for sql queries.
?>
Your code is vulnerable to SQL injections. The best idea is to parameterize the queries using prepared statements or pdo. Escape the strings too and sanitize them. Learn more about prepared statements: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php