阅读了几乎所有的帖子,但无法判断我的程序是否易受伤害?任何帮助表示赞赏。以下MySql存储过程是否容易受到sql注入?
1)调用过程为:
$query = ($is_mine?'call dispatch.dis_get_my_assigned_tasks("'.$username.'");'
步骤:
CREATE DEFINER=`test`@`localhost` PROCEDURE `dis_get_all_assigned_tasks`()
BEGIN
select distinct at_id, at_issues, at_location, at_room_number, user_fname,
from dispatch.dis_assigned_tasks
left outer join dispatch.dis_users
on user_id = at_user
order by at_location, at_user_pickup_timestamp desc;
END
2)调用方法如:
$query = "call dispatch.dis_get_user_info('".$username."');";
步骤:
CREATE DEFINER=`test`@`localhost` PROCEDURE `dis_get_user_info`(IN username VARCHAR(45))
BEGIN
select * from dispatch.dis_users where user_username = username;
END
这是没有安全审查服务。如果您担心这些查询中存在特定问题,请告知我们您的想法是哪一个。 – hakre
可能的重复[如何防止SQL注入PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – hakre
看起来像它测试与'看看它是不是.. –