PDO中的这段代码sql-injection-safe是否安全? [英] Is this code sql-injection-safe in PDO?

问题描述

代码(新手):

        if(isset($_POST['selection']))
        {
            include_once 'pdo_init.php';
            $params_str = str_repeat('?,',count($_POST['selection']));
            $params_str = substr($params_str,0,-1);
            $res = $pdo->prepare('DELETE FROM funcionario WHERE codigo in ('.$params_str.')');
            if($res->execute($_POST['selection']))
            {
                return json_encode(array(
                    'success' => 1,
                    'msg'     => 'os registros foram deletados com sucesso!'
                ));
            } else {
                return json_encode(array(
                    'success' => 0,
                    'msg'     => 'nao admitimos sql-injection aqui seu safado!'
                ));
            }
        } else {
            # error out
            break;
        }

推荐答案

目前看来，它不是100％安全的(通常您通常从准备好的语句中获得安全性).这是因为在MySQL中，PDO 在内部模拟准备好的语句.这意味着数据已被转义，因此在涉及PDO时(至少使用默认设置)，使用准备好的语句比转义没有任何好处.

Pedantically, no it is not 100% safe (which you typically get from prepared statements in general). That's because with MySQL, PDO emulates prepared statements internally. This means that the data is escaped, so there is no benefit to using prepared statements over escaping when it comes to PDO (with the default settings at least).

您可以通过在连接上设置PDO::setAttribute(PDO::ATTR_EMULATE_PREPARES, 0)来更改此设置.

You can change this by setting PDO::setAttribute(PDO::ATTR_EMULATE_PREPARES, 0) on the connection.

MySQLi确实使用了真正的预备语句，所以我建议改用它.

MySQLi does use true prepared statements, so I would suggest using that instead.

这篇关于PDO中的这段代码sql-injection-safe是否安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！