PDO在Codeigniter - 保护VS SQL注入 [英] PDO in Codeigniter - Protect vs SQL Injection

问题描述

我已经阅读了http://codeigniter.com/forums/viewthread/179618/ ，并不是100％确信。

我通常依靠专家如Chris Shiflett和OWASP的安全提示。 http://shiflett.org/blog/2006/jul/the-owasp-php- top-5

使用自制的PDO DB类代替Codeigniter数据库文件。每次我上传它是一个相对较小的痛苦，复制。我使用PDO的主要原因是保护免受SQL注入vs使用活动记录。

编辑：不要发布，但我在如何整合
的事实后写了一篇帖子 Codeigniter中的PDO 。

解决方案

根据您引用的页面，Active Record类使用 mysql _ 用于字符串转义的函数。这意味着它仍然在PHP-land中构建SQL字符串，而不是在数据库中使用参数化的API。虽然现在可能没有已知的缺陷，但使用更安全的设计的API仍是一个更好的主意。

True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class?

I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced.
I usually lean on experts such as Chris Shiflett and OWASP for security tips. http://shiflett.org/blog/2006/jul/the-owasp-php-top-5

Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. Everytime I upload it is a relatively small pain to copy over. The main reason I use PDO is to protect from SQL Injection vs using Active Record.

EDIT: NOT TO BE A SHILL but I wrote a post after the fact on how to integrate PDO in Codeigniter. If anyone has feedback, I would be happy to hear.

解决方案

According the the page you referenced, the Active Record class uses mysql_ functions for string-escaping. That means it's still building SQL strings up in PHP-land instead of using parametrized APIs into the database. While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design.

这篇关于PDO在Codeigniter - 保护VS SQL注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！