另一个使用TinyMCE的php / mysql注入[重复]

This question already has an answer here:

这个问题在这里已有答案:

How can I prevent SQL injection in PHP? 28 answers

如何在PHP中阻止SQL注入? 28个答案

I'm no php programmer, only site admin, I've recently adopted a site with web panel that causes sql injection when trying to post html code in TinyMCE, containing apostrophe.

我不是php程序员,只有站点管理员,我最近采用了一个网页面板,当试图在TinyMCE中发布包含撇号的html代码时会导致sql注入。

Problematic html code;

有问题的HTML代码;

img onmouseover="this.src='layout/gfx/wiecej1.png'

php code;

$edytuj = $_POST['edytuj'];

sql query;

if($edytuj) {
     $podstrony_id = $_POST['id'];
     $podstrony_id_kategorie = $_POST['id_kategorie'];
     $podstrony_id_moduly = $_POST['id_moduly'];
     $podstrony_tytul = $_POST['tytul'];
     $podstrony_szablon = $_POST['szablon'];
     $podstrony_tresc = $_POST['tresc'];
     $podstrony_aktywnosc = $_POST['aktywnosc'];

     $zapytanie = "UPDATE $tab_podstrony SET id_kategorie='$podstrony_id_kategorie', id_moduly='$podstrony_id_moduly', tytul='$podstrony_tytul', szablon='$podstrony_szablon', tresc='$podstron$
     $wynik = mysql_query($zapytanie);

Site uses php-cgi-5.4.39 and mysql-5.5 I don't have access to previous environment (where this panel worked fine), so I can't find out if it's configuration or code problem.

网站使用php-cgi-5.4.39和mysql-5.5我没有访问以前的环境(这个面板工作正常),所以我无法找出它的配置或代码问题。

1 个解决方案

#1

Quick fix: you need to properly escape any strings you want to include in the query using mysql_real_escape_string().

快速修复:您需要使用mysql_real_escape_string()正确转义要包含在查询中的任何字符串。

Proper fix: switch to mysqli, as the mysql extension is deprecated, and either escape the strings with mysqli_real_escape_string(), or better use prepared statements.

正确修复:切换到mysqli,因为不推荐使用mysql扩展,并使用mysqli_real_escape_string()转义字符串,或者更好地使用预处理语句。

#1