PHP PDO准备好的语句是否需要转义? [英] Do PHP PDO prepared statements need to be escaped?

问题描述

在 PDO ::准备页面上，

"，并且通过避免手动引用参数来帮助防止SQL注入攻击"

"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters"

知道了这一点，是否有一个像mysql_real_escape_string()这样的PHP函数可以照顾到PDO的转义?还是PDO会为我做所有的转义?

Knowing this, is there a PHP function like mysql_real_escape_string() that takes care of escaping stings for PDO? Or does PDO take care of all escaping for me?

编辑

我现在意识到我问了一个错误的问题.我的问题确实是，"PDO会为我做什么?"我现在通过这些答案意识到，它实际上仅消除了对引号进行转义的需要.但是我仍然需要对传递给execute函数的值进行任何其他PHP清理调用.例如htmlentities()，strip_tags()...等...

I realize now that I asked the wrong question. My question really was, "What all does PDO take care of for me?" Which I realize now with these answers that it really only removes the need to escape the quotes. But I would still need to do any other PHP sanitize calls on the values that I pass to the execute function. Such as htmlentities(), strip_tags()...etc...

推荐答案

PDO不会转义变量.变量和SQL命令通过MySQL连接独立传输.而且 SQL标记器(解析器)从不查看值.只需将值逐字复制到数据库存储中，就不会造成任何伤害.这就是为什么无需将数据与准备好的语句一起编组的原因.

PDO does not escape the variables. The variables and the SQL command are transferred independently over the MySQL connection. And the SQL tokenizer (parser) never looks at the values. Values are just copied verbatim into the database storage without the possibility of ever causing any harm. That's why there is no need to marshall the data with prepared statements.

请注意，这主要是速度优势.使用mysql_real_escape_string()，您首先需要在PHP中编组变量，然后将效率低下的SQL命令发送到服务器，这将导致昂贵的实际SQL命令与值的再次隔离.这就是为什么经常说安全优势只是隐式的，而不是使用PDO的主要原因.

Note that this is mostly a speed advantage. With mysql_real_escape_string() you first marshall your variables in PHP, then send an inefficient SQL command to the server, which has to costly segregate the actual SQL command from the values again. That's why it's often said that the security advantage is only implicit, not the primary reason for using PDO.

如果您连接了SQL命令并且实际上没有使用准备好的语句(不好！)，那么可以，对于PDO仍然有一个转义功能:

If you concat the SQL command and don't actually use prepared statments (not good!), then yes, there still is an escape function for PDO: $pdo->quote($string)

这篇关于PHP PDO准备好的语句是否需要转义?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！