Do I need to use mysql_real_escape_string() on my input (such as $_POST and $_GET) when I use the PDO library?
当我使用PDO库时,是否需要在输入上使用mysql_real_escape_string()(例如$ _POST和$ _GET)?
How do I properly escape user input with PDO?
如何使用PDO正确地逃避用户输入?
2 个解决方案
#1
29
If you use PDO you can parametize your queries, removing the need to escape any included variables.
如果使用PDO,则可以对查询进行参数化,从而无需转义任何包含的变量。
See here for a great introductory tutorial for PDO.
请参阅此处获取有关PDO的精彩入门教程。
Using PDO you can seperate the SQL and passed parameters using prepared statements, this removes the need to escape strings, as because the two are held seperately then combined at execution, the parameters are automatically handled as stings, from the above source:
使用PDO,您可以使用预处理语句分离SQL并传递参数,这样就不需要转义字符串了,因为这两个单独保存然后在执行时合并,参数会自动处理为stings,来自上面的源:
// where $dbh is your PDO connection
$stmt = $dbh->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND animal_name = :animal_name");
/*** bind the paramaters ***/
$stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
$stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);
/*** execute the prepared statement ***/
$stmt->execute();
Note: sanitization occurs during variable binding ($stmt->bindParam)
注意:在变量绑定期间发生清理($ stmt-> bindParam)
Other resources:
其他资源:
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://php.net/manual/en/pdo.prepared-statements.php
http://php.net/manual/en/pdo.prepared-statements.php
#2
5
The important point when using PDO is:
使用PDO时的重点是:
PDO will only sanitize it for SQL, not for your application.
PDO只会为SQL而不是您的应用程序清理它。
So yes, for writes, such as INSERT or UPDATE, it’s especially critical to still filter your data first and sanitize it for other things (removal of HTML tags, JavaScript, etc).
所以,对于写入,例如INSERT或UPDATE,对于仍然首先过滤数据并对其他事物进行清理(删除HTML标记,JavaScript等)尤其重要。
<?php
$pdo = new PDO(...);
$stmt = $pdo->prepare('UPDATE users SET name = :name WHERE id = :id');
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING); // <-- filter your data first
$stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO
$stmt->bindParam(':name', $name, PDO::PARAM_STR); // <-- Automatically sanitized for SQL by PDO
$stmt->execute();
Without sanitizing the user input, a hacker could have saved some javascript into your database and then, when output it into your site you would have been exposed to a threat!
如果不对用户输入进行消毒,黑客就可以将一些javascript保存到您的数据库中,然后在将其输出到您的站点时,您将面临威胁!
http://www.phptherightway.com/#pdo_extension
http://www.phptherightway.com/#pdo_extension
#1
29
If you use PDO you can parametize your queries, removing the need to escape any included variables.
如果使用PDO,则可以对查询进行参数化,从而无需转义任何包含的变量。
See here for a great introductory tutorial for PDO.
请参阅此处获取有关PDO的精彩入门教程。
Using PDO you can seperate the SQL and passed parameters using prepared statements, this removes the need to escape strings, as because the two are held seperately then combined at execution, the parameters are automatically handled as stings, from the above source:
使用PDO,您可以使用预处理语句分离SQL并传递参数,这样就不需要转义字符串了,因为这两个单独保存然后在执行时合并,参数会自动处理为stings,来自上面的源:
// where $dbh is your PDO connection
$stmt = $dbh->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND animal_name = :animal_name");
/*** bind the paramaters ***/
$stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
$stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);
/*** execute the prepared statement ***/
$stmt->execute();
Note: sanitization occurs during variable binding ($stmt->bindParam)
注意:在变量绑定期间发生清理($ stmt-> bindParam)
Other resources:
其他资源:
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://php.net/manual/en/pdo.prepared-statements.php
http://php.net/manual/en/pdo.prepared-statements.php
#2
5
The important point when using PDO is:
使用PDO时的重点是:
PDO will only sanitize it for SQL, not for your application.
PDO只会为SQL而不是您的应用程序清理它。
So yes, for writes, such as INSERT or UPDATE, it’s especially critical to still filter your data first and sanitize it for other things (removal of HTML tags, JavaScript, etc).
所以,对于写入,例如INSERT或UPDATE,对于仍然首先过滤数据并对其他事物进行清理(删除HTML标记,JavaScript等)尤其重要。
<?php
$pdo = new PDO(...);
$stmt = $pdo->prepare('UPDATE users SET name = :name WHERE id = :id');
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING); // <-- filter your data first
$stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO
$stmt->bindParam(':name', $name, PDO::PARAM_STR); // <-- Automatically sanitized for SQL by PDO
$stmt->execute();
Without sanitizing the user input, a hacker could have saved some javascript into your database and then, when output it into your site you would have been exposed to a threat!
如果不对用户输入进行消毒,黑客就可以将一些javascript保存到您的数据库中,然后在将其输出到您的站点时,您将面临威胁!
http://www.phptherightway.com/#pdo_extension
http://www.phptherightway.com/#pdo_extension