POST 是否可以进行 SQL 注入?

2021-12-26 00:00:00 https php sql-injection httpwebrequest

如果通过 GET 传递参数,则可以进行 Sql 注入.但是也可以通过POST.如果是,https 可以阻止吗?

Sql Injection is possible if parameters are passed via GET. But is it possible via POST also. If yes, can https prevent it?

推荐答案

是的,可以使用 $_POST 以及 $_GET$_COOKIE$_REQUEST.HTTPS 根本不会保护您.您必须使用某些功能来保护您,例如 mysql_real_escape_string 或使用 准备好的语句.

Yes, it's possible with $_POST as well as with $_GET, $_COOKIE and $_REQUEST. HTTPS will not protect you at all. You have to use some function to protect you, for example mysql_real_escape_string or use prepared statements.

来自网络浏览器的所有通信都应作为不受信任"处理.您不能信任的其他技术是 Ajax文件上传JavaScript 表单验证(等等).所有这些数据都直接来自网络浏览器,在您过滤或验证数据之前不应信任它们.

All communication from the web browser should be handled as "untrusted". Other techniques you can't trust is Ajax, file uploads and JavaScript form validations (among others). All these data come directly from the web browser and should not be trusted before you have filtered them or validated the data.

您唯一可以信任的是 $_SESSION,前提是您只将经过验证的数据放入您的 $_SESSION 变量中.

The only thing you can trust is $_SESSION, provided that you ONLY put in validated data into your $_SESSION variables.

相关文章