PHP数据库 [英] php mysql adodb

问题描述

我在adodb中使用PHP，但是遇到了一个大问题。我正在使用adodb来加快开发速度，因此可以执行以下操作：

  $ r [ Name] = $ _POST ['txtName']; 
 
 if（$ _POST [ ID]！=）
 $ conn-> AutoExecute（ content，$ r，'UPDATE'，'AutoID ='。$ _POST [ ID]）; 
 else 
 $ conn-> AutoExecute（ content，$ r，'INSERT'）; 
  

但是，如果该名称中包含单引号，则将其加到斜杠中！因此，如果名称是Testimonial，将另存为Testimonial\的名称，这给我带来了很多问题，那么我是否可以避免这种情况，但仍可以像上面那样编程，因为它比准备插入/更新语句要快得多。 p>

干杯

解决方案

此问题的正确和最终解决方案是两个部分：

1. 以编程方式在代码中禁用所有 magic_quotes 。这样可确保您具有已知的配置，如果/当管理员更改了这些php.ini设置时，该配置不会被破坏。


2. 在之前验证/引用所有传入的用户输入

虽然第一部分是良好的编程，但是第二部分对于编写安全的应用程序绝对必不可少！

要引用用户输入，可以采用两种方法：

1. 手动（使用AdoDB的 qstr 或报价），在这种情况下，您必须非常小心，不要错过任何东西。对于小型项目而言，这可能是完全可行的，我过去已经多次这样做过。


2. 使用带有绑定变量的准备好的语句来进行查询。这样可以确保只要正确指定变量类型，就不会在应用程序中进行SQL注入，并且比第一种方法更容易出错。这是我现在正在做的一段时间。

更新：

如果使用准备好的语句，您可能会发现AdoDB不会给您那么多的费用，并且您可以使用PDO进行大部分工作。当您需要自动功能时，您可以自己编写一些特定于应用程序的功能。以我的经验，这比添加AdoDB还要多一点工作，并且总体上更好。

I'm using PHP with adodb but come up against a massive problem. I'm using adodb to speed up development so I can do thing like:

$r["Name"] = $_POST['txtName'];

if ($_POST["ID"] != "")
  $conn->AutoExecute("content", $r, 'UPDATE', 'AutoID = ' . $_POST["ID"]);      
else
  $conn->AutoExecute("content", $r, 'INSERT');

However if that name was to have a single quote in it saves into db with a slash! So if the name is Testimonial's it will save as Testimonial\'s which is causing me massive problems, is there anyway I can avoid this but still program like above as it's hell of a lot quicker than preparing insert / update statements.

Cheers

解决方案

The correct and final solution to this issue is composed of two parts:

1. Disable all magic_quotes programmatically in your code. This ensures that you have a known configuration to work with, which cannot be broken if/when an admin changes these php.ini settings.
2. Validate/quote all incoming user input before accessing the database!

While the first part is good programming, the second is absolutely essential to write a secure application!

To quote the user input there are two ways you can go:

1. Manually (use AdoDB's qstr or Quote), in which case you must be very very careful to not miss anything. This can be quite doable for small projects, I have gone this way many times in the past.
2. Use prepared statements with bound variables to make your queries. This ensures that there will never be an SQL injection in your app as long as you specify the variable types correctly, and is way less error prone than the first option. This is what I am doing for some time now.

Update:

If you go with prepared statements, you may find that AdoDB doesn't buy you that much and you can use PDO for most of the work. When you need something "automagic", you can write a few functions specific to the application yourself. In my experience, that's just a little more work and overall better than including AdoDB.

这篇关于PHP数据库的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！