[英]PDO form inputs
Currently I'm working with this code, it works as it is however needless to say it leaves it open to vulnerabilities any time I change $dateTo
to :dateTo
the query stops working any advice would be great. 目前,我正在使用此代码,它可以工作,因为不用说,
$dateTo
我将$dateTo
更改$dateTo
:dateTo
查询停止工作时,它都会对漏洞开放,任何建议都很棒。
$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];
$sql = "SELECT sum(countAudit) AS AMZL, sum(countAudit) AS OTHER, dateEntered, count(sort_id) AS Audited, sum(error) AS error, timeEntered
FROM audits WHERE (dateEntered BETWEEN ':from' AND '$dateTo')";
$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute();
foreach($db->query($sql) as $row){
echo $row['AMZL'] . "<br>";
}
Use prepared statements properly, named placeholders doesn't need to be quoted. 正确使用准备好的语句,无需引用命名的占位符。
Plus, don't directly inject variables inside the query statement: 另外,不要直接在查询语句中插入变量:
AND '$dateTo')";
It defeats the purposes of prepared statements. 它违反了准备好的陈述的目的。
And don't mix up ->query()
and ->execute()
. 并且不要混淆
->query()
和->execute()
。 Just use straight up ->execute()
: 只需直接使用
->execute()
:
$db->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
// turn on error reporting
$from = $_POST['from'];
$dateTo = $_POST['dateTo'];
$hourTo = $_POST['hoursTo'];
$hourFrom = $_POST['hoursFrom'];
$minuteTo = $_POST['minutesTo'];
$minuteFrom = $_POST['minutesFrom'];
$sql = "
SELECT
sum(countAudit) AS AMZL,
dateEntered,
count(sort_id) AS Audited,
um(error) AS error,
timeEntered
FROM audits
WHERE (dateEntered BETWEEN :from AND :dateTo)
"; // ^remove quotes^
$query = $db->prepare($sql);
$query->bindParam(':from', $from);
$query->bindParam(':dateTo', $dateTo);
$query->execute(); // execute
$results = $query->fetchAll(PDO::FETCH_ASSOC);
// don't forget to fetch the results
foreach($results as $row){
echo $row['AMZL'] . "<br>";
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.