PDO在Codeigniter - 保护VS SQL注入 [英] PDO in Codeigniter - Protect vs SQL Injection
问题描述
我已经阅读了http://codeigniter.com/forums/viewthread/179618/ ,并不是100%确信。
我通常依靠专家如Chris Shiflett和OWASP的安全提示。 http://shiflett.org/blog/2006/jul/the-owasp-php- top-5
使用自制的PDO DB类代替Codeigniter数据库文件。每次我上传它是一个相对较小的痛苦,复制。我使用PDO的主要原因是保护免受SQL注入vs使用活动记录。
编辑:不要发布,但我在如何整合
的事实后写了一篇帖子 Codeigniter中的PDO 。
根据您引用的页面,Active Record类使用 mysql _
用于字符串转义的函数。这意味着它仍然在PHP-land中构建SQL字符串,而不是在数据库中使用参数化的API。虽然现在可能没有已知的缺陷,但使用更安全的设计的API仍是一个更好的主意。
True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class?
I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced.
I usually lean on experts such as Chris Shiflett and OWASP for security tips. http://shiflett.org/blog/2006/jul/the-owasp-php-top-5
Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. Everytime I upload it is a relatively small pain to copy over. The main reason I use PDO is to protect from SQL Injection vs using Active Record.
EDIT: NOT TO BE A SHILL but I wrote a post after the fact on how to integrate PDO in Codeigniter. If anyone has feedback, I would be happy to hear.
According the the page you referenced, the Active Record class uses mysql_
functions for string-escaping. That means it's still building SQL strings up in PHP-land instead of using parametrized APIs into the database. While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design.
这篇关于PDO在Codeigniter - 保护VS SQL注入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!