Php中用PDO查询Mysql来避免SQL注入风险的方法-php手册-php.cn

Home

php教程

php手册

Php中用PDO查询Mysql来避免SQL注入风险的方法

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 am 11:53 AM

c mysql pdo php sql use us method Inquire injection of avoid risk

当我们使用传统的 mysql_connect 、mysql_query方法来连接查询数据库时，如果过滤不严，就有SQL注入风险，导致网站被攻击，失去控制。虽然可以用mysql_real_escape_string()函数过滤用户提交的值，但是也有缺陷。而使用PHP的PDO扩展的 prepare 方法，就可以避免sql injection 风险。

PDO(PHP Data Object) 是PHP5新加入的一个重大功能，因为在PHP 5以前的php4/php3都是一堆的数据库扩展来跟各个数据库的连接和处理，如 php_mysql.dll。 PHP6中也将默认使用PDO的方式连接，mysql扩展将被作为辅助。官方：http://php.net/manual/en/book.pdo.php

1、PDO配置
使用PDO扩展之前，先要启用这个扩展，PHP.ini中，去掉"extension=php_pdo.dll"前面的";"号,若要连接数据库，还需要去掉与PDO相关的数据库扩展前面的";"号（一般用的是php_pdo_mysql.dll），然后重启Apache服务器即可。

复制代码代码如下:

extension=php_pdo.dll
extension=php_pdo_mysql.dll

2、PDO连接mysql数据库

复制代码代码如下:

$dbh = new PDO("mysql:host=localhost;dbname=db_demo","root","password");

默认不是长连接，若要使用数据库长连接，需要在最后加如下参数:

复制代码代码如下:

$dbh = new PDO("mysql:host=localhost;dbname=db_demo","root","password","array(PDO::ATTR_PERSISTENT => true)");
$dbh = null; //(释放)

3、PDO设置属性

1) PDO有三种错误处理方式：

• PDO::ERrmODE_SILENT不显示错误信息，只设置错误码
• PDO::ERrmODE_WARNING显示警告错
• PDO::ERrmODE_EXCEPTION抛出异常

可通过以下语句来设置错误处理方式为抛出异常

复制代码代码如下:

$db->setAttribute(PDO::ATTR_ERrmODE, PDO::ERrmODE_EXCEPTION);

当设置为PDO::ERrmODE_SILENT时可以通过调用errorCode() 或errorInfo()来获得错误信息，当然其他情况下也可以。

2) 因为不同数据库对返回的字段名称大小写处理不同，所以PDO提供了PDO::ATTR_CASE设置项（包括PDO::CASE_LOWER，PDO::CASE_NATURAL，PDO::CASE_UPPER），来确定返回的字段名称的大小写。

3) 通过设置PDO::ATTR_ORACLE_NULLS类型（包括PDO::NULL_NATURAL，PDO::NULL_EmpTY_STRING，PDO::NULL_TO_STRING）来指定数据库返回的NULL值在php中对应的数值。

4、PDO常用方法及其应用
PDO::query() 主要是用于有记录结果返回的操作，特别是SELECT操作
PDO::exec() 主要是针对没有结果集合返回的操作，如INSERT、UPDATE等操作
PDO::prepare() 主要是预处理操作，需要通过$rs->execute()来执行预处理里面的SQL语句，这个方法可以绑定参数，功能比较强大（防止sql注入就靠这个）
PDO::lastInsertId() 返回上次插入操作，主键列类型是自增的最后的自增ID
PDOStatement::fetch() 是用来获取一条记录
PDOStatement::fetchAll() 是获取所有记录集到一个集合
PDOStatement::fetchColumn() 是获取结果指定第一条记录的某个字段，缺省是第一个字段
PDOStatement::rowCount() :主要是用于PDO::query()和PDO::prepare()进行DELETE、INSERT、UPDATE操作影响的结果集，对PDO::exec()方法和SELECT操作无效。

5、PDO操作MYSQL数据库实例

复制代码代码如下:

$pdo = new PDO("mysql:host=localhost;dbname=db_demo","root","");
if($pdo -> exec("insert into db_demo(name,content) values('title','content')")){
echo "插入成功！";
echo $pdo -> lastinsertid();
}
?>

复制代码代码如下:

$pdo = new PDO("mysql:host=localhost;dbname=db_demo","root","");
$rs = $pdo -> query("select * from test");
$rs->setFetchMode(PDO::FETCH_ASSOC); //关联数组形式
//$rs->setFetchMode(PDO::FETCH_NUM); //数字索引数组形式
while($row = $rs -> fetch()){
print_r($row);
}
?>

复制代码代码如下:

foreach( $db->query( "SELECT * FROM feeds" ) as $row )
{
print_r( $row );
}
?>

统计有多少行数据

复制代码代码如下:

$sql="select count(*) from test";
$num = $dbh->query($sql)->fetchColumn();

prepare方式

复制代码代码如下:

$stmt = $dbh->prepare("select * from test");
if ($stmt->execute()) {
while ($row = $stmt->fetch()) {
print_r($row);
}
}

Prepare参数化查询

复制代码代码如下:

$stmt = $dbh->prepare("select * from test where name = ?");
if ($stmt->execute(array("david"))) {
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
print_r($row);
}
}

【下面来说说重点了，如何防止 sql注入】

使用PDO访问MySQL数据库时，真正的real prepared statements 默认情况下是不使用的。为了解决这个问题，你必须禁用 prepared statements的仿真效果。下面是使用PDO创建链接的例子：

复制代码代码如下:

$dbh = new PDO('mysql:dbname=dbtest;host=127.0.0.1;charset=utf8', 'user', 'pass');
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);

setAttribute（）这一行是强制性的，它会告诉 PDO 禁用模拟预处理语句，并使用 real parepared statements 。这可以确保SQL语句和相应的值在传递到mysql服务器之前是不会被PHP解析的（禁止了所有可能的恶意SQL注入攻击）。虽然你可以配置文件中设置字符集的属性(charset=utf8)，但是需要格外注意的是，老版本的 PHP（

我们来看一段完整的代码使用实例：

复制代码代码如下:

$dbh = new PDO("mysql:host=localhost; dbname=demo", "user", "pass");
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false); //禁用prepared statements的仿真效果
$dbh->exec("set names 'utf8'");
$sql="select * from test where name = ? and password = ?";
$stmt = $dbh->prepare($sql);
$exeres = $stmt->execute(array($testname, $pass));
if ($exeres) {
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
print_r($row);
}
}
$dbh = null;

上面这段代码就可以防范sql注入。为什么呢？

当调用 prepare() 时，查询语句已经发送给了数据库服务器，此时只有占位符 ? 发送过去，没有用户提交的数据；当调用到 execute()时，用户提交过来的值才会传送给数据库，他们是分开传送的，两者独立的，SQL攻击者没有一点机会。

但是我们需要注意的是以下几种情况，PDO并不能帮助你防范SQL注入

1、你不能让占位符 ? 代替一组值，如：

复制代码代码如下:

SELECT * FROM blog WHERE userid IN ( ? );

2、你不能让占位符代替数据表名或列名，如：

复制代码代码如下:

SELECT * FROM blog ORDER BY ?;

3、你不能让占位符 ? 代替任何其他SQL语法，如：

复制代码代码如下:

SELECT EXTRACT( ? FROM datetime_column) AS variable_datetime_element FROM blog;

Statement of this Website

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress images for free

Clothoff.io

AI clothes remover

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Article

What's New in Windows 11 KB5054979 & How to Fix Update Issues

3 weeks ago By DDD

How to fix KB5055523 fails to install in Windows 11?

2 weeks ago By DDD

InZoi: How To Apply To School And University

3 weeks ago By DDD

How to fix KB5055518 fails to install in Windows 10?

2 weeks ago By DDD

Roblox: Dead Rails – How To Summon And Defeat Nikola Tesla

4 weeks ago By 尊渡假赌尊渡假赌尊渡假赌

Hot Tools

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

God-level code editing software (SublimeText3)

Hot Topics

Where is the login entrance for gmail email?

7807

Java Tutorial

1645

CakePHP Tutorial

1402

Laravel Tutorial

1300

PHP Tutorial

1236

Related knowledge

PHP's Purpose: Building Dynamic Websites Apr 15, 2025 am 12:18 AM

PHP is used to build dynamic websites, and its core functions include: 1. Generate dynamic content and generate web pages in real time by connecting with the database; 2. Process user interaction and form submissions, verify inputs and respond to operations; 3. Manage sessions and user authentication to provide a personalized experience; 4. Optimize performance and follow best practices to improve website efficiency and security.

PHP and Python: Different Paradigms Explained Apr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

Why Use PHP? Advantages and Benefits Explained Apr 16, 2025 am 12:16 AM

The core benefits of PHP include ease of learning, strong web development support, rich libraries and frameworks, high performance and scalability, cross-platform compatibility, and cost-effectiveness. 1) Easy to learn and use, suitable for beginners; 2) Good integration with web servers and supports multiple databases; 3) Have powerful frameworks such as Laravel; 4) High performance can be achieved through optimization; 5) Support multiple operating systems; 6) Open source to reduce development costs.

Choosing Between PHP and Python: A Guide Apr 18, 2025 am 12:24 AM

PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.

MySQL's Role: Databases in Web Applications Apr 17, 2025 am 12:23 AM

The main role of MySQL in web applications is to store and manage data. 1.MySQL efficiently processes user information, product catalogs, transaction records and other data. 2. Through SQL query, developers can extract information from the database to generate dynamic content. 3.MySQL works based on the client-server model to ensure acceptable query speed.

How to start mysql by docker Apr 15, 2025 pm 12:09 PM

The process of starting MySQL in Docker consists of the following steps: Pull the MySQL image to create and start the container, set the root user password, and map the port verification connection Create the database and the user grants all permissions to the database

Laravel Introduction Example Apr 18, 2025 pm 12:45 PM

Laravel is a PHP framework for easy building of web applications. It provides a range of powerful features including: Installation: Install the Laravel CLI globally with Composer and create applications in the project directory. Routing: Define the relationship between the URL and the handler in routes/web.php. View: Create a view in resources/views to render the application's interface. Database Integration: Provides out-of-the-box integration with databases such as MySQL and uses migration to create and modify tables. Model and Controller: The model represents the database entity and the controller processes HTTP requests.

PHP and Python: A Deep Dive into Their History Apr 18, 2025 am 12:25 AM

PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.

See all articles