PHP - PDO 引用是否安全从 SQL 注入?
$id = trim((int)$_GET['id']);
$sql = 'SELECT * FROM users WHERE id = ' . $db->quote($id) . ' LIMIT 1';
$run = $db->query($sql)->fetch();
PDO 的引用方法作为准备好的语句是否安全?或者我必须在我的脚本中一直使用准备好的语句?
Does PDO's quote method is safe as prepared statements? Or i have to use prepared statements all the way in my script?
推荐答案
基本上 quote()
作为准备好的语句是安全的,但它取决于 quote()
当然还有它的后续使用.此外,必须考虑使用的数据库系统/PDO 驱动程序的实现才能回答问题.
Basically quote()
is safe as prepared statements but it depends on the proper implementation of quote()
and of course also on it's consequent usage. Additionally the implementation of the used database system/PDO driver has to be taken into account in order to answer the question.
虽然准备好的语句可以是底层数据库协议(如 MySQL)的一个特性,然后将在数据库服务器上准备好"(服务器站点准备),它不一定必须并且也可以在客户端站点上解析(客户端站点准备).
While a prepared statement can be a feature of the underlying database protocol (like MySQL) and will then being "prepared" on the database server (a server site prepare), it does not necessarily have to be and can be parsed on client site as well (a client site prepare).
在 PDO 中,这取决于:
In PDO this depends on:
- 驱动程序/数据库系统是否支持服务器端准备好的语句?
PDO::ATTR_EMULATE_PREPARES
必须设置为false
(如果驱动程序支持,则默认设置)
- Does the driver/database system support server side prepared statements?
PDO::ATTR_EMULATE_PREPARES
must be set tofalse
(default if the driver supports it)
如果其中一个条件不满足,PDO 会回退到客户端准备,再次在幕后使用类似 quote()
的东西.
If one of the conditions is not met, PDO falls back to client site prepares, using something like quote()
under the hood again.
结论:
使用准备好的语句没有坏处,我鼓励您使用它们.即使您明确使用 PDO::ATTR_EMULATE_PREPARES
或您的驱动程序根本不支持服务器站点准备,准备好的语句将强制执行一个工作流程,其中引用不会被忘记.另请检查@YourCommonSense 的回答.他详细说明了这一点.
Using prepared statements doesn't hurt, I would encourage you to use them. Even if you explicitly use PDO::ATTR_EMULATE_PREPARES
or your driver does not support server site prepares at all, prepared statements will enforce a workflow where it is safe that quoting can't be forgotten. Please check also @YourCommonSense's answer. He elaborates on that.
相关文章