我是否必须使用准备好的SQL语句清理用户输入?
[英]Do I have to sanitize user input with prepared SQL statements?
问题描述
Is this considered completely safe? 
这被认为是完全安全的吗?
$stmt = $dbhandler->prepare("update sometable set somefield=:somestring");
$stmt->bindParam(":somestring",$_REQUEST["hack_me_please"],PDO::PARAM_STR);
$stmt->execute();
And if not, what could make it safer? 如果没有的话,什么可以使它更安全? I'm assuming there are unknown vulnerabilities in PDO/MySQL/PHP that may be exploited in the future so I'm wondering if there is anything reasonable I can do make my queries safer, or is it out of my hands with prepared statements. 我假设PDO / MySQL / PHP中存在未知的漏洞,将来可能会利用该漏洞,所以我想知道是否有任何合理的方法可以使我的查询更安全,或者是通过准备好的语句将其移出我的手。
If it is this easy, why is SQL injection still a thing? 如果这样简单,为什么SQL注入仍然是一回事? Shouldn't it have gone the way of polio? 它不应该消除小儿麻痹症吗?
2 个解决方案
解决方案1
2 已采纳 2014-04-24 04:36:39
No, it's not necessary to sanitize inputs when using prepared statement to protect sql injections but you may do it if you want for any other reason. 不,使用预处理语句保护sql注入时不必清理输入,但是如果出于其他原因,也可以这样做。
If it is this easy, why is SQL injection still a thing?
it's easy for those who knows about it, nothing is easy unless you know it. 对于那些了解它的人来说很容易,除非您知道它,否则没有一件事情是容易的。 I believe sql injection doesn't happen a lot nowadays. 我相信现在sql注入不会发生很多。
解决方案2
1 2014-04-24 04:48:08
Your example is completely safe because it passes the user input parameters separate from the query string. 您的示例完全安全,因为它传递了与查询字符串分开的用户输入参数。 The reason sql injection still exists is because a lot of users still use the deprecated mysql_* api/driver and are unaware of the alternatives. sql注入仍然存在的原因是,由于许多用户仍在使用已弃用的mysql_* api / driver,并且不知道替代方法。 Also, even using pdo or mysqli you can still pass user input directly into the query string instead of binding it separately. 同样,即使使用pdo或mysqli,您仍然可以将用户输入直接传递到查询字符串中,而不必单独绑定它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.