PDO execute($ input_parameter)可以防止SQL注入为bindParam/bindValue吗? [英] PDO execute($input_parameter) protects from sql injections as bindParam/bindValue?
问题描述
execute($input_parameter)是否像bindParam/bindValue一样防止SQL注入?
Does execute($input_parameter) protect from sql injections just like bindParam/bindValue?
如果答案是肯定的,那么bindParam()/bindValue()/execute()是否对任何sql-inject攻击都无害?还是我需要采取措施防止此类攻击?.
If the answer is yes, bindParam()/bindValue()/execute() are invulnerable to any sql-inject attack? Or I need to take measures to prevent such attacks?.
感谢帮助!.
推荐答案
只要execute($input_parameters)与单独的bindParam/bindValue/execute步骤一样安全,答案似乎基本上是肯定的.
As far as execute($input_parameters) being as safe as separate bindParam/bindValue/execute steps, the answer would appear to be basically, yes.
但是,根据构造传递给PDO::prepare调用的查询字符串的方式,您可能仍需要采取进一步的措施.并非总是可以对准备好的查询字符串中的所有内容进行参数化设置.例如,不能将参数用于表名或列名.如果允许用户数据或任何外部数据进入该查询字符串,则必须在将字符串传递给prepare之前清理该数据.
有关更多详细信息,请参阅以下stackoverflow问题:
However, you might still need to take further measures depending on how you constructed the query string that you pass to your PDO::prepare call. It is not always possible to parameter-ize everything in the prepared query string. For example, you can't use a parameter for a table or column name. If you allow user data or any external data into that query string you must still sanitize that data before passing the string to prepare.
Refer to these stackoverflow questions for more details:
通常,无论如何,您都应该过滤所有输入数据,因此,如果您想更加安全,则可以使用适合您需要的过滤器来清理发往SQL类型内容的所有输入数据,甚至编写FILTER_CALLBACK自定义如果您愿意的话. 对于表名或列名来自用户提供的数据的情况,一种常见的验证技术是根据允许的名称数组检查值.
In general you should be filtering all input data anyway, so if you wanted to be extra safe you could sanitize any input data that is destined for SQL-type stuff using the filters appropriate for your needs, or even writing a FILTER_CALLBACK custom function if you wish. In the case of table or column names coming from user-provided data, a common validation technique is to check the values against arrays of allowable names.
希望这会有所帮助.祝你好运.注意安全! ;)
Hope this helps. Good luck. Stay safe! ;)
这篇关于PDO execute($ input_parameter)可以防止SQL注入为bindParam/bindValue吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
