c#到PHP SQL注入预防

本文关键字:注入 SQL PHP | 更新日期: 2023-09-27 18:01:02

我有一个简单的脚本可以将SQL查询发送到PHP脚本,但我不知道如何保护它免受SQL注入的影响。

你有主意吗?谢谢

C#脚本

private void SQLConnect()
{
string urlAddress = "XXX";

查询PHP脚本

string query = "INSERT INTO user (name) VALUES ('Test-Name')";

通过POST将查询发送到PHP脚本

using (WebClient client = new WebClient())
{
    NameValueCollection postData = new NameValueCollection()
{
{ "newQuery", query },
};
string pagesource = Encoding.UTF8.GetString(client.UploadValues(urlAddress, postData));
}
}

PHP脚本

$db_server = xxx;
$db_benutzer = 'xxx';
$db_passwort = 'xxx';
$db_name = 'xxx';

连接到数据库

$mysqli = new mysqli($db_server, $db_benutzer, $db_passwort, $db_name);
if ($mysqli->connect_errno) 
{
printf("Connect failed: %s'n", $mysqli->connect_error);
exit();
} 
else
{
echo "Connected...'n";
}

接收并执行来自C#的查询

$newQuery = $_POST["newQuery"];;
if ($mysqli->query($newQuery) === TRUE) 
{
echo("Success...'n");
}
mysqli_close($mysqli);

c#到PHP SQL注入预防

您可以拆分变量。因此,在你的帖子中,你有一个带有占位符的查询:INSERT INTO user(name(VALUES@p1

using (WebClient client = new WebClient())
{
    NameValueCollection postData = new NameValueCollection()
    {
        { "newQuery", query },
        { "P1", username }
    };
}

然后使用PHP安全地替换参数:http://php.net/manual/en/security.database.sql-injection.php

相关文章: