Propel的fromArray/fromJSON功能对SQL注入安全吗? [英] Is Propel's fromArray/fromJSON feature safe from SQL injection?
问题描述
Propel ORM文档使用整洁的导入/导出功能像fromArray和fromJSON之类的函数,应该允许如下所示:
The Propel ORM documentation mentions a neat import/export feature using functions like fromArray and fromJSON, that should allow something like this:
$foo = new Widget();
$foo->fromArray($_POST);
$foo->save(); /* Aaand you're done! */
...但是文档没有提及是否应该以这种方式使用fromArray是安全的,即fromArray是否可以处理不受信任的输入.我的猜测是没关系-默认的setter程序是防注入的,并且整个交易都基于PDO-但我想确定.
...but the documentation doens't mention if using fromArray this way is supposed to be safe, i.e. if fromArray can handle untrusted input. My guess would be that it's all right - the default setters are injection-proof, and the whole deal is based on PDO - but I'd like to be sure.
推荐答案
Propel不仅使用PDO进行查询,还通过PDO利用Prepared语句,这在缓解SQL注入攻击(以及增强性能)方面非常不错).
Propel not only uses PDO for the queries, it also utilizes Prepared Statements via PDO, which are pretty good when it comes to mitigating SQL Injection attacks (and performance enhancing).
请注意,仅使用PDO不能保证对SQL注入没有任何保护,请始终使用
Note that just using PDO does NOT guarantee any protection against SQL Injection, always use Prepared Statements.
因此,作为对您问题的回答,是的,Propel充分利用了PDO的功能来防止SQL注入.
So as an answer to your question, yes, Propel fully utilizes PDO's abilities to protect from SQL Injection.
这篇关于Propel的fromArray/fromJSON功能对SQL注入安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
