I've gotten a habit of filtering the user submitted variable through my int function which makes sure it's a number (if not returns 0) and not quoting the variable in mysql queries.
我已经养成了通过我的int函数过滤用户提交的变量的习惯,这确保它是一个数字(如果不返回0)而不是在mysql查询中引用变量。
Is that bad practice? I think I decided to do this for performance reasons. Plus I've always thought that numbers shouldn't be put in quotes.
这是不好的做法吗?我想我出于性能原因决定这样做。另外,我一直认为数字不应该放在引号中。
Example:
if($perpage != $user['perpage']){
if($perpage == 50 || $perpage == 100 || $perpage == 200 ){
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]", __FILE__, __LINE__);
}
}
2 个解决方案
#1
5
aha! an interesting case here!
啊哈!这是一个有趣的案例!
-
You are right in general. It is always better to treat numbers as numbers, not strings
你是对的。将数字视为数字而不是字符串总是更好
- it makes your code more sane and consistent
- an
strict_modesetting in mysql, which won't allow you do disguise a number as a string, if turned on.
它使您的代码更加理智和一致
mysql中的strict_mode设置,如果打开,它将不允许您将数字伪装为字符串。
-
But your implementation in fact allows an injection! Let's leave it for your homework to find it :)
但实际上你的实现允许注射!让我们留下你的作业找到它:)
Here is a reference for you, explaining this injection: http://php.net/language.types.type-juggling
这里有一个参考,解释这个注入:http://php.net/language.types.type-juggling
so, I'd make your code like this
所以,我会让你的代码像这样
$perpage = intval($perpage);
if($perpage != $user['perpage'] && in_array($perpage,array(50,100,200) {
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]");
}
#2
2
As long as the values are properly checked through the use of PHP's intval method before using them, I don't see an issue with it. You could do yourself some favors in the future by doing that if you ever have to interact with a DB that thinks quotes around int values are a syntax error. (I believe MS SQL server does that.)
只要在使用PHP之前通过使用PHP的intval方法正确检查这些值,我就不会发现它存在问题。如果您必须与认为围绕int值的引号是语法错误的数据库进行交互,那么您可以在将来做一些好处。 (我相信MS SQL服务器可以做到这一点。)
#1
5
aha! an interesting case here!
啊哈!这是一个有趣的案例!
-
You are right in general. It is always better to treat numbers as numbers, not strings
你是对的。将数字视为数字而不是字符串总是更好
- it makes your code more sane and consistent
- an
strict_modesetting in mysql, which won't allow you do disguise a number as a string, if turned on.
它使您的代码更加理智和一致
mysql中的strict_mode设置,如果打开,它将不允许您将数字伪装为字符串。
-
But your implementation in fact allows an injection! Let's leave it for your homework to find it :)
但实际上你的实现允许注射!让我们留下你的作业找到它:)
Here is a reference for you, explaining this injection: http://php.net/language.types.type-juggling
这里有一个参考,解释这个注入:http://php.net/language.types.type-juggling
so, I'd make your code like this
所以,我会让你的代码像这样
$perpage = intval($perpage);
if($perpage != $user['perpage'] && in_array($perpage,array(50,100,200) {
$DB->query("UPDATE users SET perpage=$perpage WHERE id=$user[id]");
}
#2
2
As long as the values are properly checked through the use of PHP's intval method before using them, I don't see an issue with it. You could do yourself some favors in the future by doing that if you ever have to interact with a DB that thinks quotes around int values are a syntax error. (I believe MS SQL server does that.)
只要在使用PHP之前通过使用PHP的intval方法正确检查这些值,我就不会发现它存在问题。如果您必须与认为围绕int值的引号是语法错误的数据库进行交互,那么您可以在将来做一些好处。 (我相信MS SQL服务器可以做到这一点。)