How can I make these three statements more secure against SQL injection?_问答_开发者

How can I make these three statements more secure against SQL injection?

开发者 https://www.devze.com 2023-02-21 20:28 出处：网络

1. $con = mysql_connect(\"localhost\",\"\",\"\"); if (!$con) { die(\'Could not connect: \' . mysql_error());

相关专题：php

1.

$con = mysql_connect("localhost","","");
if (!$con)
  {
      die('Could not connect: ' . mysql_error());
  }

mysql_select_db("jbell2", $con);

$sql="INSERT INTO Profile (username, Date, Height, Weight, WaistSize, WeightforHeight, Blood_Pressure, Medication, Total_Cholesterol, Bad_Cholesterol, Good_Cholesterol, Triglycerides,KidneyFunctionTest)
VALUES 

('$_Post[username]', '$_POST[Date]', '$_POST[Height]', '$_POST[Weight]', '$_POST[WaistSize]','$_POST[WeightforHeight]', '$_POST[Blood_Pressure]','$_POST[Medication]' ,'$_POST[Total_Cholesterol]' ,'$_POST[Bad_Cholesterol]' ,'$_POST[Good_Cholesterol]','$_POST[Triglycerides]','$_POST[KidneyFunctionTest]' )";

2

          MySqlConnection con = new MySqlConnection("host="";user="";password=""; database="";");
            con.Open();
            MySqlCommand cmd = new MySqlCommand("INSERT INTO Patients(username, password, FirstName, SecondName, DiabetesType, Email,Phone, Phone2, Question1, Question2,TreatmentPlan)"
+ "values" + "('" + uname.Text + "','" + password.Text + "','" + fname.Text + "','" + lname.Text + "','" + Dtype.Text + "','" + email.Text + "','" + phone.Text + "','" + phone2.Text +开发者_C百科 "','" + q1.Text + "','" + q2.Text + "','" + treatment.Text + "')");
            cmd.Connection = con;
            cmd.ExecuteNonQuery();
            con.Close();

In the C# portion:

MySqlCommand cmd = new MySqlCommand("INSERT INTO Patients (username, password, FirstName, 
//...
+ "values" + "('" + uname.Text + "','" + password.Text + "','" + fname.Text + "','" +  
//...
+ "')");

These values should be passed in as parameters. Your command text should be built like this:

MySqlCommand cmd = new MySqlCommand("INSERT INTO Patients (username, password, FirstName, 
//...
+ "values (@username, @password, @FirstName, 
//...
+ "')");

Under that, you should have something like this:

cmd.Parameters.AddWithValue("username", uname.Text);
cmd.Parameters.AddWithValue("password", password.Text);
cmd.Parameters.AddWithValue("FirstName", fname.Text);
//...

If you don't, you're asking for a lot of trouble.

Dunno about PHP but in C# you can use Parameters instead of directly injecting the values.

using (MySqlConnection con = new MySqlConnection("host="";user="";password=""; database="";"))
{
    con.Open();
    string strSQL = "INSERT INTO Patients(username, password, FirstName, SecondName, DiabetesType, Email,Phone, Phone2, Question1, Question2,TreatmentPlan) values (?name, ?password, .....)";
    using (MySqlCommand cmd = new MySqlCommand(strSQL, con))
    {
        cmd.Parametrs.AddWithValue("?name", fname.Text);
        cmd.Parametrs.AddWithValue("?password", lname.Text);
        ..........
        cmd.ExecuteNonQuery();
    }
}

Just have ? followed by some identifier to mark that you add parameter, then use AddWithValue to insert the real value.
Also showing how to use using which dispose of the objects properly.

In first you don't have any word in SQL language.

In 2 and 3 you are creating SQL Query by concating string, this is wrong; in 2 you can use PDO to prepare PDOStatement object and execute it passing arguments securely, in second you can probably prepare this query and pass arguments but must read documentation how do this.

Read this: http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html

for option 2. you should definately be real escaping your strings at minimum before inserting in to DB with mysql_real_escape_string().

and you should always validate your data before inserting in to db. check you are getting the data you want, and replace any chars you should be getting.