有关PDO防sql注入问题-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

有关PDO防sql注入问题

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 23, 2016 pm 01:55 PM

pdosqlinjection

php还算新手
最近才开始转用pdo的

请教一
以前知道用mysql_real_escape_string

但是最近才知道 pdo是不能用mysql_real_escape_string
因为这个函数好像是要用mysql_connect() 先连好才能用的

还知道了要用bindParam这类的写法配合预处理

$stmt = $dbh->prepare ("INSERT INTO user (firstname, surname) VALUES (:f-name, :s-name)");
$stmt -> bindParam(':f-name', 'John');
$stmt -> bindParam(':s-name', 'Smith');
$stmt -> execute();

想请教一下bindParam是否已经足够安全?

还是用bindValue会更好?

请教二

相比mysql_real_escape_string好像麻烦点?

mysql_real_escape_string 处理后....写入数据库时

Tom's Book  在PHP中显示处理成  Tom\'s Book

但写入数据库中，是只保存 Tom's Book

这一点在前台显示时，是非常方便的，因为毕竟的纯粹的SELECT麻，也应该没什么安全问题...吧?

但是问题来了

既然bindParam自动加上了转义，甚至保存到数据库中，那我不知道前台有什么地方需要用到stripslashes()这个函数

难度每个地方都加吗?

有关这问题只有三个可能吧?

1. PDO有其他防SQL注入的方法??  保存时可以不用保存 "\" 这符号?
2. 有可能有配置文件加入一些东西...把全站都加上stripslashes()?   貌似不太可行?
3. 老老实实，除了日期或分类ID之外的，慢慢的一个个加上?

另外也想请教一下
$stmt = $dbh->prepare ("INSERT INTO user (firstname, surname) VALUES (:f-name, :s-name)");
$stmt -> bindParam(':f-name', 'John');
$stmt -> bindParam(':s-name', 'Smith');
$stmt -> execute();

除了用"?"以外，这一类的写法算合理吗?

还有，官方也提议我们用PDO需要升到5.3.6?  那还是直接升5.4 有需要特别注意什么吗?

回复讨论(解决方案)

确实是新手，还不知道 PDO::quote 方法的存在
用PDO需要升到5.3.6，是因为直到5.3.6，PDO才具有实用价值。之前的所有版本都存在着各种严重问题

prepare 准备
bindParam 绑定参数
这是为一条SQL多次使用（仅参数不同）准备的，而无需每轮都组装查询串

php 是通过 magic_quotes_gpc 来决定是否对外来数据做转义处理的
php 5.3.6及以后默认关闭
php5.4.0及以后忽视它的存在
也就是说：安全问题是你自己的问题，php不打算替你完成了

用了
prepare
bindParam

是否也不足够

要用PDO::quote?

那想请问一下

用quote的话不是取代了prepare?
就不能预处理或者批量insert?

预处理后用 execute 和直接用 query 是两条路
quote 是转义，对于预处理后的 execute 会自动隐式执行
对于 query 需自己显式的执行

明白了??

但是....
$sql = "INSERT INTO foo (id,name) VALUES ('',:name)";
$stmt = $pdo->prepare($sql);

$stmt->bindParam(':name', $name);

$name = $pdo->quote($_POST["name"]);

$stmt->execute();

比如我输入：peter's book

但为什么会保存成'peter's book'

这是正常的吗?

我输出是要做些处理?

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

How to calculate the total number of elements in a PHP multidimensional array?May 15, 2025 pm 09:00 PM

Calculating the total number of elements in a PHP multidimensional array can be done using recursive or iterative methods. 1. The recursive method counts by traversing the array and recursively processing nested arrays. 2. The iterative method uses the stack to simulate recursion to avoid depth problems. 3. The array_walk_recursive function can also be implemented, but it requires manual counting.

What are the characteristics of do-while loops in PHP?May 15, 2025 pm 08:57 PM

In PHP, the characteristic of a do-while loop is to ensure that the loop body is executed at least once, and then decide whether to continue the loop based on the conditions. 1) It executes the loop body before conditional checking, suitable for scenarios where operations need to be performed at least once, such as user input verification and menu systems. 2) However, the syntax of the do-while loop can cause confusion among newbies and may add unnecessary performance overhead.

How to hash strings in PHP?May 15, 2025 pm 08:54 PM

Efficient hashing strings in PHP can use the following methods: 1. Use the md5 function for fast hashing, but is not suitable for password storage. 2. Use the sha256 function to improve security. 3. Use the password_hash function to process passwords to provide the highest security and convenience.

How to implement array sliding window in PHP?May 15, 2025 pm 08:51 PM

Implementing an array sliding window in PHP can be done by functions slideWindow and slideWindowAverage. 1. Use the slideWindow function to split an array into a fixed-size subarray. 2. Use the slideWindowAverage function to calculate the average value in each window. 3. For real-time data streams, asynchronous processing and outlier detection can be used using ReactPHP.

How to use the __clone method in PHP?May 15, 2025 pm 08:48 PM

The __clone method in PHP is used to perform custom operations when object cloning. When cloning an object using the clone keyword, if the object has a __clone method, the method will be automatically called, allowing customized processing during the cloning process, such as resetting the reference type attribute to ensure the independence of the cloned object.

How to use goto statements in PHP?May 15, 2025 pm 08:45 PM

In PHP, goto statements are used to unconditionally jump to specific tags in the program. 1) It can simplify the processing of complex nested loops or conditional statements, but 2) Using goto may make the code difficult to understand and maintain, and 3) It is recommended to give priority to the use of structured control statements. Overall, goto should be used with caution and best practices are followed to ensure the readability and maintainability of the code.

How to implement data statistics in PHP?May 15, 2025 pm 08:42 PM

In PHP, data statistics can be achieved by using built-in functions, custom functions, and third-party libraries. 1) Use built-in functions such as array_sum() and count() to perform basic statistics. 2) Write custom functions to calculate complex statistics such as medians. 3) Use the PHP-ML library to perform advanced statistical analysis. Through these methods, data statistics can be performed efficiently.

How to use anonymous functions in PHP?May 15, 2025 pm 08:39 PM

Yes, anonymous functions in PHP refer to functions without names. They can be passed as parameters to other functions and as return values of functions, making the code more flexible and efficient. When using anonymous functions, you need to pay attention to scope and performance issues.

See all articles