在sql中防止sql注入_如何防止PHP应用程序中SQL注入?
在sql中防止sql注入
I have an application and I have complex requests tot the server. There are a lot of database operations. Managing them can become very hard some times. In this situation how can I prevent sql injection attacks to my application.
我有一个应用程序,并且服务器有复杂的请求。 数据库操作很多。 管理它们有时会变得非常困难。 在这种情况下,如何防止对应用程序SQL注入攻击。
使用准备好的语句 (Use Prepared Statements)
Prepared statements are the way to bind client-side provided values with database queries. Prepared Data Object (PDO) acts middle proxy and prevents SQL injections. PDO is supported all database drivers so there is no problem about database driver.
准备语句是将客户端提供的值与数据库查询绑定的方式。 准备数据对象(PDO)充当中间代理,并防止SQL注入。 所有数据库驱动程序都支持PDO,因此数据库驱动程序没有问题。
-
$stmt = $pdo->prepare(‘SELECT * FROM employees WHERE name = :name’);
-
-
$stmt->execute(array(‘name’ => $name));
-
-
foreach ($stmt as $row) {
-
// do something with $row
-
}
正确设置数据库连接 (Correctly Setup Database Connection)
Using default settings generally provides problems or security issues. So creating a database connection by explicitly specifying parameters is the best way sql injection type attack.
使用默认设置通常会带来问题或安全问题。 因此,通过显式指定参数来创建数据库连接是sql注入类型攻击的*佳方法。
-
$dbConnection = new PDO(‘mysql:dbname=dbtest;host=127.0.0.1;charset=utf8’, ‘user’, ‘pass’);
-
-
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
-
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
使用WAF (Use WAF)
After deployment of php web application it will be reached from internet. Most of the attackers resides internet so preventing them or at least detecting them will be valuable. Web Application Firewall is like a Network Firewall but works in layer 7 in OSI reference model. Simple WAF will inspect http/s traffic and try to find block attack requests.
部署php Web应用程序后,可以从Internet访问它。 大多数攻击者都驻留在Internet上,因此阻止或至少检测到它们将很有价值。 Web应用程序防火墙类似于网络防火墙,但在OSI参考模型的第7层中起作用。 简单的WAF将检查http / s流量并尝试查找阻止攻击请求。
进行渗透测试以进行应用 (Make Penetration Test For Application)
Penetration tests are simulation of the attacks and attackers. White hat hackers will give this service to attack the php application like a Black Hat Hacker and give some hints about php application vulnerabilities.
渗透测试是对攻击者和攻击者的模拟。 白帽黑客将像Black Hat Hacker一样提供此服务来攻击php应用程序,并提供有关php应用程序漏洞的一些提示。
进行静态代码分析 (Make Static Code Analyze)
Code Analyze is the act of using Code Analyzing tools to find security related code parts in the application code. Static Code Analyze gives a lot of issues but some of them are false positive so the Static Code Analyze report should be filtered by a security professional to make thing better and clearer.
代码分析是使用代码分析工具在应用程序代码中查找与安全相关的代码部分的行为。 静态代码分析提出了很多问题,但是其中一些是误报问题,因此应由安全专业人员过滤“静态代码分析”报告,以使事情变得更好,更清晰。