[英]Is it possible to perform a SQL injection attack on this code?
function addUser($username, $first_name, $last_name, $email, $pw, $type) {
include $_SERVER['DOCUMENT_ROOT'] . '/connection_library/connection_library.php';
$insertRow = NULL;
$connection = connectUserLogfiles();
try {
$sql = "INSERT INTO user_list (username, first_name, last_name, email, password, type) "
. "VALUES (:username, :first_name, :last_name, :email, :pw, :type)";
$stmt = $connection->prepare($sql);
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':first_name', $first_name, PDO::PARAM_STR);
$stmt->bindParam(':last_name', $last_name, PDO::PARAM_STR);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':pw', $pw, PDO::PARAM_STR);
$stmt->bindParam(':type', $type, PDO::PARAM_STR);
$worked = $stmt->execute();
$stmt->rowCount();
$stmt->closeCursor();
} catch (Exception $ex) {
return FALSE;
}
return $worked;
}
I have heard that using bindParam will prevent SQL injection attacks. 我听说使用bindParam可以防止SQL注入攻击。 Is this true?
这是真的? Is there a way to execute SQL injection attacks on this code?
有没有办法对此代码执行SQL注入攻击? Assuming I perform no filtering or sanitizing on the parameters (with the exception being the password, which has been encrypted with a strong one way encryption scheme), how would you perform a SQL injection attack?
假设我不对参数执行任何过滤或清除操作(除了密码,密码已使用一种强大的单向加密方案进行了加密),您将如何执行SQL注入攻击?
The database is a MySQL database, and the user being used in the connectionUserLogfiles()
function only has SELECT, INSERT and UPDATE privileges. 该数据库是MySQL数据库,在
connectionUserLogfiles()
函数中使用的用户仅具有SELECT,INSERT和UPDATE特权。
I have heard that using bindParam will prevent SQL injection attacks.
我听说使用bindParam可以防止SQL注入攻击。 Is this true?
这是真的?
Yes , provided that you disable emulated prepares (they're enabled by default) and your database driver isn't stupid. 是的 ,前提是您禁用了模拟准备 (默认情况下已启用它们)并且您的数据库驱动程序不是愚蠢的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.