Zend_DB / Doctrine是否可以保护我免受SQL注入?
[英]Does Zend_DB / Doctrine protect me from SQL injection?
问题描述
Does using prepared statements in Zend_DB or Doctrine protect me from sql injection? 
在Zend_DB或Doctrine中使用准备好的语句是否可以保护我免受SQL注入的侵害?
example: 例:
$stmt = $db->prepare('SELECT * FROM users WHERE name = ? AND password = ?');
$rs = $stmt->execute('peter', 'secret');
Or do I have to check strings and types types myself? 还是我必须自己检查字符串和类型类型?
Another quickie: Which of the two is best? 另一个快捷方式:两者中哪一个最好? I only need the DB abstraction (w/ statements, procedures, and transactions). 我只需要数据库抽象(带有语句,过程和事务)。
1 个解决方案
解决方案1
1 已采纳 2010-08-31 09:39:25
Yes. 是。
Prepared statements, whether done with Zend_Db, Doctrine or plain old mysqli, protect you from injection by separating the query structure from the data. 准备好的语句,无论是用Zend_Db,Doctrine还是普通的mysqli完成,都可以通过将查询结构与数据分开来防止注入。 This means that if you prepare a statement that selects users based on their name and password, no hacker will be able to provide data that turns that statement into a different one. 这意味着,如果您准备了一条根据用户名和密码选择用户的语句,那么黑客将无法提供将该语句转换为其他语句的数据。
Just make sure that the query itself is a string constant. 只要确保查询本身是一个字符串常量即可。
As for your second question, Doctrine and Zend_Db have different approaches that fit different situations and different aesthetic preferences. 至于第二个问题,Doctrine和Zend_Db具有不同的方法,可以适应不同的情况和不同的审美偏好。 There have already been several questions on the topic here. 这里已经有关于该主题的几个问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.