PHP PDO 准备好的语句需要转义吗? [英] Do PHP PDO prepared statements need to be escaped?

问题描述

在 PDO::Prepare 页面 上，它指出，><块引用>

并通过消除手动引用参数的需要来帮助防止 SQL 注入攻击"

知道了这一点，是否有像 mysql_real_escape_string() 这样的 PHP 函数负责转义 PDO 的刺痛?还是 PDO 会替我处理好所有的逃生任务?

编辑

我现在意识到我问错了问题.我的问题真的是，PDO 为我做什么?"我现在通过这些答案意识到它实际上只消除了对引号进行转义的需要.但是我仍然需要对传递给执行函数的值执行任何其他 PHP 清理调用.比如htmlentities(),strip_tags()...等...

解决方案

PDO 不会对变量进行转义.变量和 SQL 命令通过 MySQL 连接独立传输.而SQL 标记器(解析器)从不查看值.值只是逐字复制到数据库存储中，而不会造成任何伤害.这就是为什么不需要用准备好的语句编组数据的原因.

请注意，这主要是速度优势.使用 mysql_real_escape_string() 您首先在 PHP 中编组变量，然后向服务器发送一个低效的 SQL 命令，这必须再次将实际 SQL 命令与值分离，这代价高昂.这就是为什么经常说安全优势只是隐含的，而不是使用 PDO 的主要原因.

如果您连接 SQL 命令并且实际上不使用准备好的语句(不好！)，那么是的，仍然有 PDO 的转义函数:$pdo->quote($string)

On the PDO::Prepare page it states,

"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters"

Knowing this, is there a PHP function like mysql_real_escape_string() that takes care of escaping stings for PDO? Or does PDO take care of all escaping for me?

EDIT

I realize now that I asked the wrong question. My question really was, "What all does PDO take care of for me?" Which I realize now with these answers that it really only removes the need to escape the quotes. But I would still need to do any other PHP sanitize calls on the values that I pass to the execute function. Such as htmlentities(), strip_tags()...etc...

解决方案

PDO does not escape the variables. The variables and the SQL command are transferred independently over the MySQL connection. And the SQL tokenizer (parser) never looks at the values. Values are just copied verbatim into the database storage without the possibility of ever causing any harm. That's why there is no need to marshall the data with prepared statements.

Note that this is mostly a speed advantage. With mysql_real_escape_string() you first marshall your variables in PHP, then send an inefficient SQL command to the server, which has to costly segregate the actual SQL command from the values again. That's why it's often said that the security advantage is only implicit, not the primary reason for using PDO.

If you concat the SQL command and don't actually use prepared statments (not good!), then yes, there still is an escape function for PDO: $pdo->quote($string)

这篇关于PHP PDO 准备好的语句需要转义吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！