Laravel Eloquent:SQL注入预防是自动完成的吗? [英] Laravel Eloquent: is SQL injection prevention done automatically?

问题描述

给出示例代码( Message 是一种雄辩的模型.):

Given the example code (Message is an Eloquent model.):

public function submit(Request $request){
    $this->validate($request, [
        'name' => "required",
        "email" => "required"
    ]);

    //database connection
    $message = new Message;
    $message->name = $request->input("name");
    $message->email = $request->input("email");

    $message->save();
}

Eloquent是否使用参数化查询(例如PDO)或任何其他机制来防止SQL注入?

Does Eloquent use parameterized queries (like PDO) or any other mechanisms to prevent SQL injection?

推荐答案

是，但是...

是的，当您依赖内置的ORM时，它会 SQL注入预防功能，例如$someModelInstance->save().来自文档:

Yes, it does SQL injection prevention when you rely on the built-in ORM functionality, like $someModelInstance->save(). From the docs:

Laravel的数据库查询构建器为创建和运行数据库查询提供了方便，流畅的界面.它可用于在您的应用程序中执行大多数数据库操作，并在所有受支持的数据库系统上工作.

Laravel's database query builder provides a convenient, fluent interface to creating and running database queries. It can be used to perform most database operations in your application and works on all supported database systems.

Laravel查询构建器使用PDO参数绑定来保护您的应用程序免受SQL注入攻击.无需清除作为绑定传递的字符串.

The Laravel query builder uses PDO parameter binding to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.

请注意，如果您构建原始SQL语句并执行这些SQL语句或使用原始表达式，则它们不会受到 的自动保护. 文档中的更多信息:

Please note that you are not automatically protected if you build raw SQL statements and execute those or use raw expressions. More from the docs:

原始语句将作为字符串注入到查询中，因此您应格外小心，不要创建SQL注入漏洞.

Raw statements will be injected into the query as strings, so you should be extremely careful to not create SQL injection vulnerabilities.

在构建原始SQL语句或表达式时，应始终使用参数化查询.有关如何在Laravel/Eloquent中执行此操作的信息，请参见上面的最后一个链接(以及该文档的其他部分).

You should always use parameterized queries when building raw SQL statements or expressions. See the last link above (and other parts of the docs, as wel) for information on how to do that in Laravel/Eloquent.

这篇关于Laravel Eloquent:SQL注入预防是自动完成的吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！