PHP/SQL数据库查询良好做法和安全性 [英] PHP/SQL Database querying good practice and security

问题描述

因此，我是一位经验丰富的php开发人员，自2007年以来一直在做该死的事情"；但是，在保护我的应用程序方面，我还是比较满意的.以这种方式，我并不真正了解我所知道的一切，我会而且应该.

So I'm a slightly seasoned php developer and have been 'doin the damn thing' since 2007; however, I am still relatively n00bish when it comes to securing my applications. In the way that I don't really know everything I know I could and should.

我选择了保护PHP Web应用程序并正在阅读我的方法来测试整个过程.我对与数据库查询有关的一般SO组有一些疑问(主要是在mysql下):

I have picked up Securing PHP Web Applications and am reading my way through it testing things out along the way. I have some questions for the general SO group that relate to database querying (mainly under mysql):

在创建将数据存储到数据库的应用程序时，mysql_real_escape_string和对输入数据的常规检查(is_numeric等)是否足够?与sql注入不同的其他类型的攻击又如何呢?

When creating apps that put data to a database is mysql_real_escape_string and general checking (is_numeric etc) on input data enough? What about other types of attacks different from sql injection.

有人能解释存储过程和预备语句的信息多于-您进​​行存储并对其进行调用.我想知道它们是如何工作的，幕后进行的验证是什么.

Could someone explain stored procedures and prepared statements with a bit more info than - you make them and make calls to them. I would like to know how they work, what validation goes on behind the scenes.

我在php4绑定环境中工作，目前暂时不选择php5.以前有没有其他人担任过这个职位，在所有很酷的孩子正在使用新的mysqli接口的同时，您如何保护应用程序安全?

I work in a php4 bound environment and php5 is not an option for the time being. Has anyone else been in this position before, what did you do to secure your applications while all the cool kids are using that sweet new mysqli interface?

人们发现哪些通用的良好做法是有好处的，重点是创建能够承受升级和可能的迁移(例如将php4迁移到php5)的基础结构.

What are some general good practices people have found to be advantageous, emphasis on creating an infrastructure capable of withstanding upgrades and possible migrations (like moving php4 to php5).

注意:经过搜索后找不到与php-mysql安全性类似的东西.

Note: have had a search around couldn't find anything similar to this that hit the php-mysql security.

推荐答案

我的建议:

1. 放弃mysqli，转而使用 PDO (使用mysql驱动程序)
2. 使用PDO参数化的准备好的语句

1. ditch mysqli in favor of PDO (with mysql driver)
2. use PDO paremeterized prepared statements

然后您可以执行以下操作:

You can then do something like:

$pdo_obj = new PDO( 'mysql:server=localhost; dbname=mydatabase', 
                    $dbusername, $dbpassword );

$sql = 'SELECT column FROM table WHERE condition=:condition';
$params = array( ':condition' => 1 );

$statement = $pdo_obj->prepare( $sql, 
    array( PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY ) );
$statement->execute( $params );
$result = $statement->fetchAll( PDO::FETCH_ASSOC );

专业人士:

1. 不再需要手动转义，因为PDO会为您完成所有操作！
2. 突然之间切换数据库后端相对容易.

缺点:

• 我想不起来.

这篇关于PHP/SQL数据库查询良好做法和安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！