准备语句是否可以保护您的数据库? [英] Do prepare statements secure your database?

查看:54
本文介绍了准备语句是否可以保护您的数据库?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我知道某些人可能会回答这个问题,但是我的问题来自于您和您的答案.我正在阅读有关SQL注入以及如何保护数据库的过去两个小时的问答.我看到的大量网页和教程也是如此.

I know that this question may be closed by some of you, but my question came up from you and your answers. I am reading the past two hours questions and answers for SQL Injections and how to protect your database. The same comes to the huge amount of webpages and tutorials I saw.

我发现一半的人声称prepare语句确实可以保护您的数据库,而另外50人则声称不是.

I found out that half of the people claim that prepare statements do secure your db, and the other 50 claim that it is not.

另一方面,我读到mysql_real_escape_string可以完成这项工作,而其他人则说不行.

On the other hand, I read that mysql_real_escape_string does the job, and other people saying that it is not.

我的问题是谁相信?

此外,这是否是适当的准备声明?

In addition, is this a proper prepare statement?

$stmt = $dbh->prepare("SELECT phpro_user_id, phpro_username, phpro_password FROM phpro_users 
                    WHERE phpro_username = :phpro_username AND phpro_password = :phpro_password");

        /*** bind the parameters ***/
        $stmt->bindParam(':phpro_username', $phpro_username, PDO::PARAM_STR);
        $stmt->bindParam(':phpro_password', $phpro_password, PDO::PARAM_STR, 40);

        /*** execute the prepared statement ***/
        $stmt->execute();

推荐答案

准备好的语句没有.绑定参数可保护语句(而不是整个数据库)的安全,只要所有不可信数据都通过参数传递而不是插值到语句中即可.当人们使用准备好的语句时,他们几乎也总是使用绑定参数,因此这两个名称经常会混淆.

Prepared statements don't. Bound parameters secure the statement (not the database as a whole) so long as all your untrusted data is passed via a parameter rather than being interpolated into the statement. When people use prepared statements, they almost always use bound parameters too, so the two names are often conflated.

  1. 准备声明
  2. 以变量作为附加参数的运行语句

mysql_real_escape_string几乎总是做这项工作,但是由于它在流程中增加了其他步骤,因此更容易出现人为错误.

mysql_real_escape_string almost always does the job, but since it adds additional steps to the process, it is more prone to human error.

  1. 转义每个变量
  2. 将变量连接到SQL语句
  3. 运行语句
  1. Escape each variable
  2. Concatenate variables into SQL statement
  3. Run statement

这篇关于准备语句是否可以保护您的数据库?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
PHP最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆