请求变量是否需要PDO中的参数化查询? [英] Are parameterized queries in PDO necessary for request variables?

问题描述

我了解到，当用户提交的数据处于潜行状态时，参数化查询必不可少，但是我的问题是这是否适用于用户可篡改的数据?

I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?

因此，如果我们有一个URL，例如".../?id = 1"，是否有必要使用$ id编写任何语句，或者URL编码是否可以消除威胁?

So if we have an url such as ".../?id=1", would it be necessary to prepare any statement using $id or would URL encoding remove the threat?

乔

推荐答案

为什么不在所有具有外部/可变输入的情况下都使用准备好的语句/参数化查询?

Why wouldn't you use prepared statements / paramaterised queries for all situations where there is external/variable input?

您可以信任的唯一查询是对每个元素进行硬编码或从应用程序中的硬编码元素派生的查询.

The only queries you can trust are those where every element is hardcoded, or derived from hardcoded elements within your application.

甚至不信任从自己的数据库中提取的数据.这算作外部/可变数据.与简单的修改查询字符串参数"相比，复杂的攻击可以使用更多的向量.

Do not even trust data that you have pulled from your own database. This counts as external / variable data. A sophisticated attack can use more vectors than a simple "modifying a query string parameter".

我认为，对于极少量的额外代码开销，完全值得您从知道查询受到保护的情况下放心.

I think for the tiny amount of extra code overhead, it is completely worth the peace of mind you will get from knowing your queries are protected.

这篇关于请求变量是否需要PDO中的参数化查询?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！