(double)$ user_input和bind_param('d'，$ user_input)之间的安全性差异 [英] security difference between (double) $user_input and bind_param('d', $user_input)

问题描述

让我们说我要像这样准备一份声明:

Lets say I were to perform a prepared statement like this:

$qry->prepare('UPDATE table_name SET column1 = ? string_column = ? WHERE column3 = ? AND column4 = ?');
$qry->bind_param('sbid', $string, $blob, $int, $double);

$int = 'non int value'; /* gives 0 in the database */
$blob = 'some string';
$string = 'another string';
$double = $double;

$qry->execute();
$qry->close();

让我们说我只想执行一次查询，我只是以安全性的名义使用了准备好的语句.从我一直读到的内容来看，只使用一次准备好的查询会产生更多的开销，这会损害安全性，从而降低性能.话虽这么说-像这样一次执行相同的查询会在性能/安全性上有什么区别.

Let's just say I only wanted to perform the query once, I just used the prepared statement in the name of security. From what I've been reading - its more overhead to use prepared queries only once, and that amounts to compromising performance for the security benefits. That being said - what would be the performance/security difference in doing the same query one time like this.

$int = (int) $int;
$blob = "'" .mysql_real_escape_string($blob) ."'";
$string = "'" .mysql_real_escape_string($blob) ."'";    
$double = (double) $double;

$db->query("UPDATE SET column1 = $int, column2 = $blob WHERE column3 = $string AND column4 = $double ");

PS.我对Prepared语句如何提高性能不感兴趣，但对单个查询的安全性和速度差异不感兴趣.

推荐答案

有很多事情要做.一些随机点

There is quite a lot to that. Some random points

• 如果使用许多准备好的语句与MySQL服务器建立大量连接，则使用 do 会产生(比理论上更高的)性能损失，这是更高的. (认为​​:上下文切换)
• 但是但是，您不应将数据库服务器的运行限制在其极限范围之内，以免与众不同.
• 但是，您并非总能选择(想想:共享主机)

• Single use prepared statements do impose a (more than theoretical) performance penalty, which is higher, if a lot of connections exist to the MySQL server. (Think: Context switches)
• But you should not run a DB server so close to its limits, that this makes the difference.
• But you not always have the choice (Think: shared hosting)

或:

• 在某些(或什至很多)情况下，准备好的语句不能不能提供安全性好处-在很多业务逻辑中，不涉及用户生成的数据(认为:Jointables ，其中仅包含ID)或出于其他原因(例如:价格计算，内存缓存查找等)而必须事先验证用户生成的数据
• 但是，为每个查询选择多种样式之一会导致代码无法维护.
• 但是有时是不可避免的(认为:IN ( )构造没有准备好的查询支持)

• There are some (or even many) cases, where prepared statements do not offer a security benefit - there is a lot of business logic, where no user-generated data is involved (Think: Jointables, that only carry IDs) or where the user-generated data has to be validated beforehand for other reasons (Think: Price calculations, memcached lookups, ...)
• But selecting one of many styles for each single query results in unmaintainable code.
• But it is sometimes unavoidable (Think: There is no prepared query support for the IN ( ) construct)

经常被忽略:

• 准备好的查询有时会使与RDBMS无关的困难
• 但是预备查询提供了针对SQL注入的最广为人知的保护.

• Prepared queries sometimes make it harder to be RDBMS-agnostic
• But prepared queries offer the best know protection against SQL injection.

我的最爱:

• 通常的建议是简单地始终使用预先准备好的查询
• 但是这个星球上的大多数生物都会建议您吃屎或腐烂有机物.

• it is common advice to simply always use prepared queries
• But the majority of living things on this planet would advise you to eat feces or rotting organic substance.

因此，样式的选择通常必须视情况而定.我们采用了将所有数据库访问包括参数管理封装在标准化库中的方法，该库只需进行require()处理，因此您可以直接替换准备好的查询，转义或任何您想要的内容，您的RDBMS支持.

So the choice of style often has to be made on a case-by-case basis. We have adopted the way of encapsulating all DB access including parameter management in a standardized library, that is simply require()ed, so you can drop-in replace with prepared queries, escaping or whatever you want and your RDBMS supports.

这篇关于(double)$ user_input和bind_param('d'，$ user_input)之间的安全性差异的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！