为什么需要在bindParam()中指定参数类型?

2021-12-26 00:00:00 php pdo sql-injection

我有点困惑,为什么我们需要指定我们在 Php 中的 PDO 中的 bindParam() 函数中传递的数据类型.例如这个查询:

I am a bit confuse as to why we need to specify the type of data that we pass in the bindParam() function in PDO in Php. For example this query:

$calories = 150; 
$colour = 'red';
$sth = $dbh->prepare('SELECT name, colour, calories
FROM fruit
WHERE calories < ? AND colour = ?');
$sth->bindParam(1, $calories, PDO::PARAM_INT); 
$sth->bindParam(2, $colour, PDO::PARAM_STR, 12);
$sth->execute();

如果我不指定第三个参数,是否存在安全风险.我的意思是如果我只是在 bindParam() 中做:

Is there a security risk if I do not specify the 3rd parameter. I mean if I just do in the bindParam():

$sth->bindParam(1, $calories); 
$sth->bindParam(2, $colour);

推荐答案

对类型使用 bindParam() 可以被认为更安全,因为它允许更严格的验证,进一步防止 SQL 注入.但是,如果您不这样做,我不会说会涉及真正 安全风险,因为更多的是您执行了prepared statement 比类型验证更能防止 SQL 注入.实现此目的的更简单方法是简单地将数组传递给 execute() 函数,而不是使用 bindParam(),如下所示:

Using bindParam() with types could be considered safer, because it allows for stricter verification, further preventing SQL injections. However, I wouldn't say there is a real security risk involved if you don't do it like that, as it is more the fact that you do a prepared statement that protects from SQL injections than type verification. A simpler way to achieve this is by simply passing an array to the execute() function instead of using bindParam(), like this:

$calories = 150; 
$colour = 'red';

$sth = $dbh->prepare('SELECT name, colour, calories
                      FROM fruit
                      WHERE calories < :calories AND colour = :colour');

$sth->execute(array(
    'calories' => $calories,
    'colour' => $colour
));

您没有义务使用字典,您也可以像使用问号一样使用字典,然后将其按相同的顺序放入数组中.然而,即使这很完美,我还是建议养成使用第一个的习惯,因为一旦达到一定数量的参数,这种方法就会变得一团糟.为了完整起见,这里是它的样子:

You're not obligated to use a dictionary, you can also do it just like you did with questionmarks and then put it in the same order in the array. However, even if this works perfectly, I'd recommend making a habit of using the first one, since this method is a mess once you reach a certain number of parameters. For the sake of being complete, here's what it looks like:

$calories = 150; 
$colour = 'red';

$sth = $dbh->prepare('SELECT name, colour, calories
                      FROM fruit
                      WHERE calories < ? AND colour = ?');

$sth->execute(array($calories, $colour));

相关文章