Sql-injection-safe-php: Unterschied zwischen den Versionen

Aus xinux.net
Zur Navigation springen Zur Suche springen
Zeile 9: Zeile 9:
 
     mysqli_set_charset($link, "utf8");
 
     mysqli_set_charset($link, "utf8");
 
     if($link === false){
 
     if($link === false){
      echo(mysqli_connect_error());
+
    echo(mysqli_connect_error());
      die("ERROR: Could not connect. " . mysqli_connect_error());
+
    die("ERROR: Could not connect. " . mysqli_connect_error());
    }
+
}
 
  
//connect db
+
 
    include "inc/connect.php";
+
  //unsafe query
    //safe query
+
     $search = $_POST['search'];
     $search = mysqli_real_escape_string($link, $_POST['search']);
 
 
     //Database search
 
     //Database search
 
     $sql = "SELECT * FROM users WHERE username='$search'";
 
     $sql = "SELECT * FROM users WHERE username='$search'";
     $result = mysqli_query($link, $sql);
+
     mysqli_multi_query($link, $sql);
 
   }
 
   }
 
?>
 
?>
Zeile 32: Zeile 30:
 
                   <input type="text" name="search"><br>
 
                   <input type="text" name="search"><br>
 
                   <input type="submit" name="submit" value="Suche">
 
                   <input type="submit" name="submit" value="Suche">
                 </form>  
+
                 </form>
 
                 <br>
 
                 <br>
 
                 <table border = "1">
 
                 <table border = "1">
Zeile 41: Zeile 39:
 
                         </tr>
 
                         </tr>
 
<?php
 
<?php
   while ($row = mysqli_fetch_row($result)) {
+
 
    echo "<tr>";
+
do{
    echo "<td>".$row[0]." </td>";
+
   if ($result = mysqli_store_result($link)){
    echo "<td>".$row[1]." </td>";
+
        while ($row = mysqli_fetch_row($result)) {
    echo "<td>".$row[2]." </td><br>";
+
            echo "<tr>";
    echo "</tr>";
+
            echo "<td>".$row[0]." </td>";
 +
            echo "<td>".$row[1]." </td>";
 +
            echo "<td>".$row[2]." </td><br>";
 +
            echo "</tr>";
 +
        }
 
   }
 
   }
 +
 +
}while (mysqli_more_results($link));
 
?>
 
?>
                </table>
+
</table>
        </body>
+
</body>
 
</html>
 
</html>
 +
 +
 
</pre>
 
</pre>

Version vom 11. September 2023, 11:44 Uhr

<?php
  if(isset($_POST['submit'])){
    define('DB_SERVER', '127.0.0.1');
    define('DB_USERNAME', 'xinux');
    define('DB_PASSWORD', 'suxer');
    define('DB_NAME', 'sql_injections');
    $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
    mysqli_set_charset($link, "utf8");
     if($link === false){
    echo(mysqli_connect_error());
    die("ERROR: Could not connect. " . mysqli_connect_error());
}


   //unsafe query
    $search = $_POST['search'];
    //Database search
    $sql = "SELECT * FROM users WHERE username='$search'";
    mysqli_multi_query($link, $sql);
  }
?>

<!DOCTYPE html>
<html>
        <body>
                <h2>SQL Injection</h2>
                <form method="post">
                  <label for="fname">Suche</label><br>
                  <input type="text" name="search"><br>
                  <input type="submit" name="submit" value="Suche">
                </form>
                <br>
                <table border = "1">
                        <tr>
                                <td>ID</td>
                                <td>Name</td>
                                <td>Passwort</td>
                        </tr>
<?php

do{
  if ($result = mysqli_store_result($link)){
        while ($row = mysqli_fetch_row($result)) {
            echo "<tr>";
            echo "<td>".$row[0]." </td>";
            echo "<td>".$row[1]." </td>";
            echo "<td>".$row[2]." </td><br>";
            echo "</tr>";
        }
  }

}while (mysqli_more_results($link));
?>
</table>
</body>
</html>
Abgerufen von „https://xinux.net/index.php?title=Sql-injection-safe-php&oldid=49279