如何防止 SQL 注入更改 URL 参数（DELETE 语句）PHP

Question

我有一个如下代码，用于通过 URL 参数删除条目

<td><a href="deletecar.php?car_id=<?php echo $row_cars['car_id']; ?>" onclick=" if ( !confirm('Are you sure to DELETE?') ) return false; ">Delete</a></td>

这是URL参数输出

http://localhost/html/deletecar.php?car_id=17

但如果我将 car_id=17 更改为 car_id=23（在其他用户的汽车列表中），它就会删除

如何防止这种情况发生

deletecar.php 如下所示

<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

if ((isset($_GET['car_id'])) && ($_GET['car_id'] != "") && (isset($_SESSION['MM_Username']))) {
  $deleteSQL = sprintf("DELETE FROM cars WHERE car_id=%s",
                       GetSQLValueString($_GET['car_id'], "int"));

  mysql_select_db($database_conn, $conn);
  $Result1 = mysql_query($deleteSQL, $conn) or die(mysql_error());

  $deleteGoTo = "myaccount.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}
?>

这是我在数据库中的表

INSERT INTO `car` (`car_id`, `c_id`, `c_brand`, `c_model`, `c_model_nd`, `c_model_year`, `c_color`, `c_capacity`, `c_owner`, `c_statu`, `c_show`) VALUES
(16, '34DA1593', 'Volkswagen', 'Volt', '313 CDI', 2006, 'Beyaz', '', 18, 'yakamozturizm', 'Boş', 0),
(17, '34BC5897', 'Mercedes', 'Sprinter', '313CDI', 2006, 'Gri', '', 14, 'PcRestorer', 'Boş', 0),
(18, '34DBC145', 'Volkswagen', 'Volt', '213 CDI', 2013, 'Beyaz', '', 16, 'PcRestorer', 'Boş', 0);

编辑....

我已经像那样更改了我的代码

$colname_delete = "-1";
if (isset($_GET['car_id'])) {
  $colname_delete = $_GET['car_id'];
}
$owner_delete = "-1";
if (isset($_SESSION['MM_Username'])) {
  $owner_delete = $_SESSION['MM_Username'];
}

if ((isset($_GET['car_id'])) && ($_GET['car_id'] != "")) {
  $deleteSQL = sprintf("DELETE FROM minibusler  WHERE car_id = %s AND c_owner =%s", 

GetSQLValueString($colname_delete, "int"),
GetSQLValueString($owner_delete, "text"));

  mysql_select_db($database_conn, $conn);
  $Result1 = mysql_query($deleteSQL, $conn) or die(mysql_error());

  $deleteGoTo = "myaccount.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $deleteGoTo .= (strpos($deleteGoTo, '?')) ? "&" : "?";
    $deleteGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $deleteGoTo));
}

看起来很有效，您认为这样做是否安全

感谢您的帮助

Answer 1

让它不那么臃肿

if (empty($_SESSION['MM_Username'])) {
  exit; // take appropriate action here
}
if (empty($_GET['car_id'])) {
  exit; // take appropriate action here
}

mysql_select_db($database_conn, $conn);
$sql = sprintf("DELETE FROM minibusler  WHERE car_id = %s AND c_owner =%s", 
                GetSQLValueString($_GET['car_id'], "int"),
                GetSQLValueString($_SESSION['MM_Username'], "text"));
mysql_query($sql, $conn) or trigger_error(mysql_error());

header("Location: myaccount.php");
exit;

Answer 2

无论如何，在删除car 之前，您都应该检查它是否属于当前用户。如果没有显示合适的消息。