CodeIgniter PDO驱动程序使用查询而不是准备?这不是不安全吗? [英] CodeIgniter PDO driver uses query instead of prepare? Isn't this less secure?
问题描述
我是PHP的CodeIgniter框架的新手,并且正在使用版本2.1.0查看PDO数据库驱动程序。我注意到它使用PDO'查询'函数,而不是'prepare'和'bindParam'/'bindValue'。
I am new to the CodeIgniter framework for php and was looking at the PDO database driver with Version 2.1.0. I noticed it uses the PDO 'query' function and not 'prepare' and 'bindParam'/'bindValue'.
这不完全错过使用PDO在第一位,事实上使它较少使用sql注入比使用他们提供的正常mysql驱动程序保护。它似乎没有像其他提供的驱动程序一样的转义查询?或者我完全误解了某些东西?
Doesn't this completely miss the point of using PDO in the first place and in fact make it less protected from sql injection than using the normal mysql driver they provide. It doesn't seem to be escaping queries like it does with the other provided drivers? Or am I completely misinterpreting something?
编辑:看起来CodeIgniter可能实际上使用PDO :: quote来清理。但是即使php文档说这不推荐,因为它不太安全,似乎错过了PDO的第一位。
It looks as if CodeIgniter may in fact be using PDO::quote to sanitize. But even the php documentation says this is not recommended as it is less secure and seemed to miss the point of PDO in the first place
推荐答案
I dunno CI但是有一个简单的规则要记住:
I dunno CI but there is a simple rule to remember:
尽管有常见的信念,
事实上,它应该总是转义+引用。
如果我们不引用转义数据,我们没有好的转义。
As a matter of fact, it should be always escaping+quoting.
If we don't quote escaped data, we get no good from escaping.
所以,我想CI也同时。
如果是这样 - 应该是安全的。
So, I suppose that CI does both. If so - it should be safe.
我可以想到的唯一结果是LIMIT参数。
如果将它们作为字符串类型的变量传递,则CI查询可能会引发错误,如兼容模式中的PDO。如果你测试这个行为并发布结果,我将不胜感激。
The only consequence I can think of is LIMIT parameters. If you pass them as variables of string type, CI query might throw an error, like PDO in compatibility mode does. I'd be grateful if you test this behavior and post the result.
这篇关于CodeIgniter PDO驱动程序使用查询而不是准备?这不是不安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
