PHP-PDO引用对SQL注入安全吗? [英] PHP - Does PDO quote safe from SQL Injection?
问题描述
$id = trim((int)$_GET['id']);
$sql = 'SELECT * FROM users WHERE id = ' . $db->quote($id) . ' LIMIT 1';
$run = $db->query($sql)->fetch();
PDO的引用方法作为准备好的语句是否安全?还是我必须在脚本中一直使用准备好的语句?
Does PDO's quote method is safe as prepared statements? Or i have to use prepared statements all the way in my script?
推荐答案
基本上quote()作为准备好的语句是安全的,但它取决于quote()的正确实现,当然还取决于其后续用法.另外,还必须考虑所使用的数据库系统/PDO驱动程序的实现,以便回答该问题.
Basically quote() is safe as prepared statements but it depends on the proper implementation of quote() and of course also on it's consequent usage. Additionally the implementation of the used database system/PDO driver has to be taken into account in order to answer the question.
预备语句 可以作为基础数据库协议(例如MySQL)的功能,然后将在数据库服务器上预备"(服务器站点prepare ),则不一定必须如此,也可以在客户端站点上进行解析(客户端站点prepare ).
While a prepared statement can be a feature of the underlying database protocol (like MySQL) and will then being "prepared" on the database server (a server site prepare), it does not necessarily have to be and can be parsed on client site as well (a client site prepare).
在PDO中,这取决于:
In PDO this depends on:
- 驱动程序/数据库系统是否支持服务器端准备好的语句?
-
PDO::ATTR_EMULATE_PREPARES必须设置为false(如果驱动程序支持,则为默认值)
- Does the driver/database system support server side prepared statements?
PDO::ATTR_EMULATE_PREPARESmust be set tofalse(default if the driver supports it)
如果不满足其中一个条件,则PDO会再次使用quote()之类的方法退回到客户端站点准备.
If one of the conditions is not met, PDO falls back to client site prepares, using something like quote() under the hood again.
结论:
使用准备好的语句不会造成任何伤害,我鼓励您使用它们.即使您显式使用PDO::ATTR_EMULATE_PREPARES或驱动程序根本不支持服务器站点准备,准备好的语句也将强制执行一个工作流,在此工作流中不会忘记引用是安全的.请同时检查@YourCommonSense的答案.他对此进行了详细说明.
Using prepared statements doesn't hurt, I would encourage you to use them. Even if you explicitly use PDO::ATTR_EMULATE_PREPARES or your driver does not support server site prepares at all, prepared statements will enforce a workflow where it is safe that quoting can't be forgotten. Please check also @YourCommonSense's answer. He elaborates on that.
这篇关于PHP-PDO引用对SQL注入安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
