|
|
7³â Àü
|
Example#1 mysql_real_escape_string() ¿¹Á¦
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>
Example#2 SQL ÀÎÁ§¼Ç °ø°Ý(Injection Attack)ÀÇ ¿¹
<?php
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";
// This means the query sent to MySQL would be:
echo $query;
?>
MySQL·Î Àü¼ÛµÇ´Â ÁúÀÇ:
SELECT * FROM users WHERE name='aidan' AND password='' OR ''=''
À¯È¿ÇÑ ºñ¹Ð¹øÈ£ ¾øÀÌ ´©±¸³ª Á¢¼ÓÇÏ¿© Á¢±ÙÀÌ °¡´ÉÇÏ´Ù.
Example#3 "Best Practice" ÁúÀÇ
mysql_real_escape_string()Àº °¢ º¯¼ö¿¡ ´ëÇØ SQL ÀÎÁ§¼ÇÀ» ¹æÁöÇÑ´Ù. ÀÌ ¿¹Á¦´Â Magic Quotes ¼³Á¤°ú´Â º°°³·Î µ¥ÀÌÅͺ£À̽º¸¦ ÁúÀÇÇÏ´Â "best practice" ¹æ¹ýÀ» ½Ã¿¬ÇÑ´Ù.
<?php
// Quote variable to make safe
function quote_smart($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
quote_smart($_POST['username']),
quote_smart($_POST['password']));
mysql_query($query);
?>
SQL ÀÎÁ§¼Ç °ø°ÝÀÌ µ¿ÀÛÇÏÁö ¾ÊÀ¸¸ç ÁúÀÇ°¡ Á¤È®ÇÏ°Ô ½ÇÇàµÉ °ÍÀÌ´Ù |
|
̵̧ : 264 |
̵̧
¸ñ·Ï
|
|