PDO准备好的陈述有多安全 [英] how safe are PDO prepared statements
问题描述
不久前开始使用PDO准备的语句,据我了解,它为您完成了所有转义/安全性工作.
Started using PDO prepared statements not too long ago, and, as i understand, it does all the escaping/security for you.
例如,假设$ _POST ['title']是一个表单字段.
for example, assuming $_POST['title'] is a form field.
$title = $_POST['title'];
$query = "insert into blog(userID, title) values (?, ?)"
$st = $sql->prepare($query);
$st->bindParam(1, $_SESSION['user']['userID'], PDO::PARAM_INT);
$st->bindParam(2, $title);
$st->execute();
这真的很安全吗?我还需要做其他事情吗?我还需要考虑什么?
Is this really safe? Do i have to do anything else? what else do i have to take into consideration?
谢谢.
推荐答案
严格来说,实际上不需要进行转义,因为参数值从未插值到查询字符串中.
Strictly speaking, there's actually no escaping needed, because the parameter value is never interpolated into the query string.
查询参数的工作方式是,在调用prepare()
时将查询发送到数据库服务器,而在调用execute()
时将参数值发送到以后.因此,它们与查询的文本形式保持分开.永远不会有SQL注入的机会(假设PDO::ATTR_EMULATE_PREPARES
为假).
The way query parameters work is that the query is sent to the database server when you called prepare()
, and parameter values are sent later, when you called execute()
. So they are kept separate from the textual form of the query. There's never an opportunity for SQL injection (provided PDO::ATTR_EMULATE_PREPARES
is false).
是的,查询参数可以帮助您避免这种形式的安全漏洞.
So yes, query parameters help you to avoid that form of security vulnerability.
他们是否100%证明没有任何安全漏洞?不,当然不是.您可能知道,查询参数仅在SQL表达式中代替单个文字值.您不能用单个参数替代值列表,例如:
Are they 100% proof against any security vulnerability? No, of course not. As you may know, a query parameter only takes the place of a single literal value in an SQL expression. You can't make a single parameter substitute for a list of values, for example:
SELECT * FROM blog WHERE userid IN ( ? );
您不能使用参数使表名或列名动态化:
You can't use a parameter to make table names or column names dynamic:
SELECT * FROM blog ORDER BY ?;
您不能将参数用于任何其他类型的SQL语法:
You can't use a parameter for any other type of SQL syntax:
SELECT EXTRACT( ? FROM datetime_column) AS variable_datetime_element FROM blog;
因此,在很多情况下,必须在prepare()
调用之前将查询作为字符串处理.在这种情况下,您仍然需要仔细编写代码,以避免SQL注入.
So there are quite a few cases where you have to manipulate the query as a string, prior to the prepare()
call. In these cases, you still need to write code carefully to avoid SQL injection.
这篇关于PDO准备好的陈述有多安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!