PDO中的准备好的语句真的增加了安全性吗? [英] Do prepared statements in PDO really increase security?
问题描述
我想知道这些准备好的PDO语句是否真的提高了安全性,或者它们只是查询中的便宜"文本替换.实际上,准备好的语句的要点是,无论作为参数插入什么,DBMS都不会将其作为指令本身的一部分进行解析,因此,像
I wonder if those prepared statements of PDO really increase security, or if they are just a "cheap" text-replace in the query. The point of prepared statements actually is, that whatever gets inserted as parameter, will not be parsed by the DBMS as part of the instructions itself, so a parameter like
"'; DROP TABLE foobar;"
无效,不会中断查询.有人详细知道吗?我认为可以将PDO与准备好的语句一起使用以防止sql注入.事实证明,它们很难使用(至少在我的本地计算机上甚至无法使用),因此我想在浪费更多时间使用PDO之前找到答案;-)
has no effect and does not break the query. Does anyone know this in detail? I thought to use PDO with prepared statements for preventing sql injection. It turns out that they are hard to use (and don't even work, at least on my local machine), so I want to find this out before wasting much more time with PDO ;-)
推荐答案
创建准备好的语句会将带通配符的查询发送到服务器进行解析,并返回令牌以调用该语句.
Creating a prepared statement sends the query-with-wildcards to the server for parsing, and returns a token to call that statement.
一个调用仅涉及发送绑定到每个参数的数据.这意味着将不会解析数据(因为它不是查询字符串的一部分),并且查询的结构在解析准备好的语句时是固定的,并且不能通过注入进行更改.
A call merely involves sending the data bound to every parameter. This means there will be no parsing of the data (because it's not part of a query string), and that the structure of the query is fixed when the prepared statement is parsed and cannot be altered by injection.
所以,是的,准备好的声明肯定会增加安全性.
So, yes, a prepared statement definitely increases safety.
这还意味着,如果您将准备好的语句重复用于多个请求,则不必承担解析开销.
It also means you do not have to incur the parsing overhead if you reuse a prepared statement for several requests.
这篇关于PDO中的准备好的语句真的增加了安全性吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
