An article analyzing how PHP's preprocessed queries prevent SQL injection-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

An article analyzing how PHP's preprocessed queries prevent SQL injection

藏色散人

Mar 10, 2023 pm 03:32 PM

phpsql injection

This article brings you relevant knowledge about PHP. It mainly talks about what is a preprocessing statement? How does PHP's preprocessed query prevent SQL injection? Friends who are interested can take a look below. I hope it will be helpful to everyone.

An article analyzing how PHP's preprocessed queries prevent SQL injection

#How does PHP's preprocessed query prevent SQL injection?

Currently the most effective way to prevent SQL injection is to use prepared statements and parameterized queries.

Take the most commonly used PHP PDO extension as an example.

Introduction to prepared statements in the official documentation

What are prepared statements?

Think of it as a compiled template of the SQL you want to run, which can be customized using variable parameters.

Two major benefits of prepared statements:

1; The query only needs to be parsed (or preprocessed) once, but can be executed multiple times with the same or different parameters. When a query is ready, the database analyzes, compiles, and optimizes the plan for executing the query. This process takes longer for complex queries and can significantly slow down your application if the same query needs to be repeated multiple times with different parameters. By using prepared statements, you can avoid repeated analysis/compile/optimization cycles. Simply put, prepared statements use fewer resources and therefore run faster.

2. The parameters provided to the prepared statement do not need to be enclosed in quotation marks, the driver will automatically handle them. If your application only uses prepared statements, you can ensure that SQL injection does not occur. (However, if other parts of the query are constructed from unescaped input, there is still a risk of SQL injection).

The characteristic of PDO is that when the driver does not support preprocessing, PDO will simulate processing. At this time, the preprocessing-parameterized query process is completed in the PDO simulator. The PDO simulator locally escapes the input parameters according to the character set specified in the DSN, and then splices them into a complete SQL statement and sends it to the MySQL server.

So, whether the PDO simulator can correctly escape input parameters is the key to intercepting SQL injection.

For PHP versions less than 5.3.6, DSN (Data Source Name) ignores the charset parameter by default. At this time, if you use PDO's local escape, it may still lead to SQL injection.

Therefore, the bottom layer of the Laravel framework will directly set PDO::ATTR_EMULATE_PREPARES=false to ensure that SQL statements and parameter values will not be parsed by PHP before being sent to the MySQL server.

The implementation of PHP

// 查询
$calories = 150;
$colour = &#39;red&#39;;  
$sth = $dbh->prepare(&#39;SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour&#39;);  
$sth->bindValue(&#39;:calories&#39;, $calories, PDO::PARAM_INT);  
$sth->bindValue(&#39;:colour&#39;, $colour, PDO::PARAM_STR);  
$sth->execute();

// 插入，修改，删除
$preparedStmt = $db->prepare(&#39;INSERT INTO table (column) VALUES (:column)&#39;);
$preparedStmt->execute(array(&#39;:column&#39; => $unsafeValue));

The underlying implementation of Laravel

// 查询的实现
public function select($query, $bindings = [], $useReadPdo = true)
{
    return $this->run($query, $bindings, function ($query, $bindings) use ($useReadPdo) {
        if ($this->pretending()) {
                return [];
        }
        $statement = $this->prepared(
                $this->getPdoForSelect($useReadPdo)->prepare($query)
        );
        $this->bindValues($statement, $this->prepareBindings($bindings));
        $statement->execute();
        return $statement->fetchAll();
    });
}
// 修改删除的实现
public function affectingStatement($query, $bindings = [])
{
    return $this->run($query, $bindings, function ($query, $bindings) {
        if ($this->pretending()) {
                return 0;
        }
        $statement = $this->getPdo()->prepare($query);
        $this->bindValues($statement, $this->prepareBindings($bindings));
        $statement->execute();
        $this->recordsHaveBeenModified(
                ($count = $statement->rowCount()) > 0
        );
        return $count;
    });
}

Recommended learning: "PHP Video Tutorial"

The above is the detailed content of An article analyzing how PHP's preprocessed queries prevent SQL injection. For more information, please follow other related articles on the PHP Chinese website!

Statement

This article is reproduced at:learnku. If there is any infringement, please contact admin@php.cn delete

PHP Dependency Injection Container: A Quick StartMay 13, 2025 am 12:11 AM

APHPDependencyInjectionContainerisatoolthatmanagesclassdependencies,enhancingcodemodularity,testability,andmaintainability.Itactsasacentralhubforcreatingandinjectingdependencies,thusreducingtightcouplingandeasingunittesting.

Dependency Injection vs. Service Locator in PHPMay 13, 2025 am 12:10 AM

Select DependencyInjection (DI) for large applications, ServiceLocator is suitable for small projects or prototypes. 1) DI improves the testability and modularity of the code through constructor injection. 2) ServiceLocator obtains services through center registration, which is convenient but may lead to an increase in code coupling.

PHP performance optimization strategies.May 13, 2025 am 12:06 AM

PHPapplicationscanbeoptimizedforspeedandefficiencyby:1)enablingopcacheinphp.ini,2)usingpreparedstatementswithPDOfordatabasequeries,3)replacingloopswitharray_filterandarray_mapfordataprocessing,4)configuringNginxasareverseproxy,5)implementingcachingwi

PHP Email Validation: Ensuring Emails Are Sent CorrectlyMay 13, 2025 am 12:06 AM

PHPemailvalidationinvolvesthreesteps:1)Formatvalidationusingregularexpressionstochecktheemailformat;2)DNSvalidationtoensurethedomainhasavalidMXrecord;3)SMTPvalidation,themostthoroughmethod,whichchecksifthemailboxexistsbyconnectingtotheSMTPserver.Impl

How to make PHP applications fasterMay 12, 2025 am 12:12 AM

TomakePHPapplicationsfaster,followthesesteps:1)UseOpcodeCachinglikeOPcachetostoreprecompiledscriptbytecode.2)MinimizeDatabaseQueriesbyusingquerycachingandefficientindexing.3)LeveragePHP7 Featuresforbettercodeefficiency.4)ImplementCachingStrategiessuc

PHP Performance Optimization Checklist: Improve Speed NowMay 12, 2025 am 12:07 AM

ToimprovePHPapplicationspeed,followthesesteps:1)EnableopcodecachingwithAPCutoreducescriptexecutiontime.2)ImplementdatabasequerycachingusingPDOtominimizedatabasehits.3)UseHTTP/2tomultiplexrequestsandreduceconnectionoverhead.4)Limitsessionusagebyclosin

PHP Dependency Injection: Improve Code TestabilityMay 12, 2025 am 12:03 AM

Dependency injection (DI) significantly improves the testability of PHP code by explicitly transitive dependencies. 1) DI decoupling classes and specific implementations make testing and maintenance more flexible. 2) Among the three types, the constructor injects explicit expression dependencies to keep the state consistent. 3) Use DI containers to manage complex dependencies to improve code quality and development efficiency.

PHP Performance Optimization: Database Query OptimizationMay 12, 2025 am 12:02 AM

DatabasequeryoptimizationinPHPinvolvesseveralstrategiestoenhanceperformance.1)Selectonlynecessarycolumnstoreducedatatransfer.2)Useindexingtospeedupdataretrieval.3)Implementquerycachingtostoreresultsoffrequentqueries.4)Utilizepreparedstatementsforeffi

See all articles