此表单使用单选按钮是否可以避免 SQL 注入?

我正在尝试在我的网站上创建动态搜索功能,用户可以选择根据 ID、品牌、型号或日期查找索赔信息。有一个搜索栏可用于输入数据,单选按钮提供搜索过滤器。


我想知道我的简单 if 语句方法是否存在 SQL 注入漏洞,因为我直接将变量作为列名传递(据我所知,PDO 不会让您将此值作为参数传递)


HTML 代码:


    <form method="POST" action="find-claims.php">

        <label for="find-claim">Find Claim:</label>

        <input type="search" id="claim-search-bar" name="claim-search-bar"><br/>

        <input type="radio" value="by-id" class="radio-param" name="search-param" checked><label for="by-id">By Claim Id</label>

        <input type="radio" value="by-make" class="radio-param" name="search-param"><label for="by-make">By Vehicle Make</label>

        <input type="radio" value="by-model" class="radio-param" name="search-param"><label for="by-model">By Vehicle Model</label>

        <input type="radio" value="by-date" class="radio-param" name="search-param"><label for="by-date">By Claim Date</label>

        <input type="submit" class="radio-param" value="Submit">

    </form>

PHP代码:


// Get search data

$searchVal = $_POST["claim-search-bar"];


// Get radio value

$searchType = $_POST["search-param"];


// Store search type into db-naming scheme

$radioVal = "";

if($searchType == "by-id"){

    $radioVal = "claim_id";

}

else if($searchType == "by-make"){

    $radioVal = "make";

}

else if($searchType == "by-model"){

    $radioVal = "model";

}

else if($searchType == "by-date"){

    $radioVal = "date_received";

}


// DB Interaction

try{

    // Connection to DB

    require "../db-info.php";

    $dbh = new PDO("mysql:host=$serverName; dbname=$dbName", $userName, $password);

    $dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );


    // Get Claim based off dynamic input

    $getClaim = $dbh->prepare("SELECT * FROM claims WHERE $radioVal = ?");

    $getClaim->bindParam(1, $searchVal);

    $getClaim->execute();

    $claimInfo = $getClaim->fetchAll();


    // Checks if DB returned any data

    if($claimInfo){

        // Display corresponding info

    }



婷婷同学_
浏览 114回答 2
2回答

慕桂英3389331

您可以将搜索值存储在数组中。除了删除无用的 try-catch 之外,它还会使您的代码不再那么臃肿。// Get search data$searchVal = $_POST["claim-search-bar"];// Get radio value$searchType = $_POST["search-param"];// Store search type into db-naming scheme$searchValues = [&nbsp; &nbsp; "by-id" => "claim_id",&nbsp; &nbsp; "by-make" => "make",&nbsp; &nbsp; "by-model" => "model",&nbsp; &nbsp; "by-date") => "date_received",];$radioVal = $searchValues[$searchType] ?? "claim_id";// Connection to DBrequire "../db-info.php";// the connection code should really go into include// Get Claim based off dynamic input$getClaim = $dbh->prepare("SELECT * FROM claims WHERE $radioVal = ?");$getClaim->execute([$searchVal]);$claimInfo = $getClaim->fetchAll();// Checks if DB returned any dataif($claimInfo){&nbsp; &nbsp; // Display corresponding info}else{&nbsp; &nbsp; echo "sorry no claim found";}

心有法竹

因为$radioVal只分配了您在代码中编写的文字值,并且从未分配任何不受信任的内容,所以对于 SQL 注入来说它是安全的。但是,我建议您为其指定一个比"".&nbsp;因为如果 的已知值都不$searchType匹配,则 then$radioVal将保留"",您将得到以下 SQL 语句:SELECT&nbsp;*&nbsp;FROM&nbsp;claims&nbsp;WHERE&nbsp;&nbsp;=&nbsp;?这将是一个语法错误。这不会是由于 SQL 注入造成的,但它不会起作用。顺便说一下,你不需要消毒$searchVal。这就是使用绑定参数的要点,它是在查询准备好之后绑定的,因此它不会引入 SQL 注入。消毒与否并不重要。
打开App,查看更多内容
随时随地看视频慕课网APP