有关PDO防sql注入问题
php还算新手
最近才开始转用pdo的
请教一
以前知道用mysql_real_escape_string
但是最近才知道 pdo是不能用mysql_real_escape_string
因为这个函数好像是要用mysql_connect() 先连好才能用的
还知道了要用bindParam这类的写法配合预处理
$stmt = $dbh->prepare ("INSERT INTO user (firstname, surname) VALUES (:f-name, :s-name)");
$stmt -> bindParam(':f-name', 'John');
$stmt -> bindParam(':s-name', 'Smith');
$stmt -> execute();
想请教一下bindParam是否已经足够安全?
还是用bindValue会更好?
请教二
相比mysql_real_escape_string好像麻烦点?
mysql_real_escape_string 处理后....写入数据库时
Tom's Book 在PHP中显示处理成 Tom\'s Book
但写入数据库中,是只保存 Tom's Book
这一点在前台显示时,是非常方便的,因为毕竟的纯粹的SELECT麻,也应该没什么安全问题...吧?
但是问题来了
既然bindParam自动加上了转义,甚至保存到数据库中,那我不知道前台有什么地方需要用到stripslashes()这个函数
难度每个地方都加吗?
有关这问题只有三个可能吧?
1. PDO有其他防SQL注入的方法?? 保存时可以不用保存 "\" 这符号?
2. 有可能有配置文件加入一些东西...把全站都加上stripslashes()? 貌似不太可行?
3. 老老实实,除了日期或分类ID之外的,慢慢的一个个加上?
另外也想请教一下
$stmt = $dbh->prepare ("INSERT INTO user (firstname, surname) VALUES (:f-name, :s-name)");
$stmt -> bindParam(':f-name', 'John');
$stmt -> bindParam(':s-name', 'Smith');
$stmt -> execute();
除了用"?"以外,这一类的写法算合理吗?
还有,官方也提议我们用PDO需要升到5.3.6? 那还是直接升5.4 有需要特别注意什么吗?
回复讨论(解决方案)
确实是新手,还不知道 PDO::quote 方法的存在
用PDO需要升到5.3.6,是因为直到5.3.6,PDO才具有实用价值。之前的所有版本都存在着各种严重问题
prepare 准备
bindParam 绑定参数
这是为一条SQL多次使用(仅参数不同)准备的,而无需每轮都组装查询串
php 是通过 magic_quotes_gpc 来决定是否对外来数据做转义处理的
php 5.3.6及以后默认关闭
php5.4.0及以后忽视它的存在
也就是说:安全问题是你自己的问题,php不打算替你完成了
用了
prepare
bindParam
是否也不足够
要用PDO::quote?
那想请问一下
用quote的话不是取代了prepare?
就不能预处理或者批量insert?
预处理后用 execute 和 直接用 query 是两条路
quote 是转义,对于预处理后的 execute 会自动隐式执行
对于 query 需自己显式的执行
预处理后用 execute 和 直接用 query 是两条路
quote 是转义,对于预处理后的 execute 会自动隐式执行
对于 query 需自己显式的执行
但是....
$sql = "INSERT INTO foo (id,name) VALUES ('',:name)";
$stmt = $pdo->prepare($sql);
$stmt->bindParam(':name', $name);
$name = $pdo->quote($_POST["name"]);
$stmt->execute();
比如我输入:peter's book
但为什么会保存成'peter's book'
这是正常的吗?
我输出是要做些处理?
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1673
14
1429
52
1333
25
1278
29
1257
24
What is the difference between HQL and SQL in Hibernate framework?
Apr 17, 2024 pm 02:57 PM
HQL and SQL are compared in the Hibernate framework: HQL (1. Object-oriented syntax, 2. Database-independent queries, 3. Type safety), while SQL directly operates the database (1. Database-independent standards, 2. Complex executable queries and data manipulation).
Usage of division operation in Oracle SQL
Mar 10, 2024 pm 03:06 PM
"Usage of Division Operation in OracleSQL" In OracleSQL, division operation is one of the common mathematical operations. During data query and processing, division operations can help us calculate the ratio between fields or derive the logical relationship between specific values. This article will introduce the usage of division operation in OracleSQL and provide specific code examples. 1. Two ways of division operations in OracleSQL In OracleSQL, division operations can be performed in two different ways.
Comparison and differences of SQL syntax between Oracle and DB2
Mar 11, 2024 pm 12:09 PM
Oracle and DB2 are two commonly used relational database management systems, each of which has its own unique SQL syntax and characteristics. This article will compare and differ between the SQL syntax of Oracle and DB2, and provide specific code examples. Database connection In Oracle, use the following statement to connect to the database: CONNECTusername/password@database. In DB2, the statement to connect to the database is as follows: CONNECTTOdataba
Detailed explanation of the Set tag function in MyBatis dynamic SQL tags
Feb 26, 2024 pm 07:48 PM
Interpretation of MyBatis dynamic SQL tags: Detailed explanation of Set tag usage MyBatis is an excellent persistence layer framework. It provides a wealth of dynamic SQL tags and can flexibly construct database operation statements. Among them, the Set tag is used to generate the SET clause in the UPDATE statement, which is very commonly used in update operations. This article will explain in detail the usage of the Set tag in MyBatis and demonstrate its functionality through specific code examples. What is Set tag Set tag is used in MyBati
What does the identity attribute in SQL mean?
Feb 19, 2024 am 11:24 AM
What is Identity in SQL? Specific code examples are needed. In SQL, Identity is a special data type used to generate auto-incrementing numbers. It is often used to uniquely identify each row of data in a table. The Identity column is often used in conjunction with the primary key column to ensure that each record has a unique identifier. This article will detail how to use Identity and some practical code examples. The basic way to use Identity is to use Identit when creating a table.
PHP PDO vs. mysqli: compare and contrast
Feb 19, 2024 pm 12:24 PM
PDOPDO is an object-oriented database access abstraction layer that provides a unified interface for PHP, allowing you to use the same code to interact with different databases (such as Mysql, postgresql, oracle). PDO hides the complexity of underlying database connections and simplifies database operations. Advantages and Disadvantages Advantages: Unified interface, supports multiple databases, simplifies database operations, reduces development difficulty, provides prepared statements, improves security, supports transaction processing Disadvantages: performance may be slightly lower than native extensions, relies on external libraries, may increase overhead, demo code uses PDO Connect to mysql database: $db=newPDO("mysql:host=localhost;dbnam
How to solve the 5120 error in SQL
Mar 06, 2024 pm 04:33 PM
Solution: 1. Check whether the logged-in user has sufficient permissions to access or operate the database, and ensure that the user has the correct permissions; 2. Check whether the account of the SQL Server service has permission to access the specified file or folder, and ensure that the account Have sufficient permissions to read and write the file or folder; 3. Check whether the specified database file has been opened or locked by other processes, try to close or release the file, and rerun the query; 4. Try as administrator Run Management Studio as etc.
PHP PDO Tutorial: An Advanced Guide from Basics to Mastery
Feb 19, 2024 pm 06:30 PM
1. Introduction to PDO PDO is an extension library of PHP, which provides an object-oriented way to operate the database. PDO supports a variety of databases, including Mysql, postgresql, oracle, SQLServer, etc. PDO enables developers to use a unified API to operate different databases, which allows developers to easily switch between different databases. 2. PDO connects to the database. To use PDO to connect to the database, you first need to create a PDO object. The constructor of the PDO object receives three parameters: database type, host name, database username and password. For example, the following code creates an object that connects to a mysql database: $dsn="mysq
