PDO execute($ input_parameter)可以防止SQL注入为bindParam/bindValue吗? [英] PDO execute($input_parameter) protects from sql injections as bindParam/bindValue?
问题描述
execute($input_parameter)
是否像bindParam/bindValue
一样防止SQL注入?
Does execute($input_parameter)
protect from sql injections just like bindParam/bindValue
?
如果答案是肯定的,那么bindParam()/bindValue()/execute()
是否对任何sql-inject攻击都无害?还是我需要采取措施防止此类攻击?.
If the answer is yes, bindParam()/bindValue()/execute()
are invulnerable to any sql-inject attack? Or I need to take measures to prevent such attacks?.
感谢帮助!.
推荐答案
只要execute($input_parameters)
与单独的bindParam/bindValue/execute
步骤一样安全,答案似乎基本上是肯定的.
As far as execute($input_parameters)
being as safe as separate bindParam/bindValue/execute
steps, the answer would appear to be basically, yes.
但是,根据构造传递给PDO::prepare
调用的查询字符串的方式,您可能仍需要采取进一步的措施.并非总是可以对准备好的查询字符串中的所有内容进行参数化设置.例如,不能将参数用于表名或列名.如果允许用户数据或任何外部数据进入该查询字符串,则必须在将字符串传递给prepare
之前清理该数据.
有关更多详细信息,请参阅以下stackoverflow问题:
However, you might still need to take further measures depending on how you constructed the query string that you pass to your PDO::prepare
call. It is not always possible to parameter-ize everything in the prepared query string. For example, you can't use a parameter for a table or column name. If you allow user data or any external data into that query string you must still sanitize that data before passing the string to prepare
.
Refer to these stackoverflow questions for more details:
通常,无论如何,您都应该过滤所有输入数据,因此,如果您想更加安全,则可以使用适合您需要的过滤器来清理发往SQL类型内容的所有输入数据,甚至编写FILTER_CALLBACK自定义如果您愿意的话. 对于表名或列名来自用户提供的数据的情况,一种常见的验证技术是根据允许的名称数组检查值.
In general you should be filtering all input data anyway, so if you wanted to be extra safe you could sanitize any input data that is destined for SQL-type stuff using the filters appropriate for your needs, or even writing a FILTER_CALLBACK custom function if you wish. In the case of table or column names coming from user-provided data, a common validation technique is to check the values against arrays of allowable names.
希望这会有所帮助.祝你好运.注意安全! ;)
Hope this helps. Good luck. Stay safe! ;)
这篇关于PDO execute($ input_parameter)可以防止SQL注入为bindParam/bindValue吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!