简体繁体 English

Codeigniter中的PDO - 保护vs SQL注入

[英]PDO in Codeigniter - Protect vs SQL Injection

原文 2011-02-13 17:28:02 1 4 php/ codeigniter/ pdo/ sql-injection/ prepared-statement

True PHP Security experts, is PDO the way to go or would I be ok with Codeigniter's Active Record class? 真正的PHP安全专家，PDO是可行的方式，还是我可以使用Codeigniter的Active Record类？

I have read http://codeigniter.com/forums/viewthread/179618/ and am not 100% convinced. 我已经阅读了http://codeigniter.com/forums/viewthread/179618/并且并非100％确信。
I usually lean on experts such as Chris Shiflett and OWASP for security tips. 我通常依靠Chris Shiflett和OWASP等专家来获取安全提示。 http://shiflett.org/blog/2006/jul/the-owasp-php-top-5 http://shiflett.org/blog/2006/jul/the-owasp-php-top-5

Been using a homebrewed PDO DB Class in place of the Codeigniter Database files. 使用自制的PDO DB类代替Codeigniter数据库文件。 Everytime I upload it is a relatively small pain to copy over. 每次我上传它都是一个相对较小的痛苦复制。 The main reason I use PDO is to protect from SQL Injection vs using Active Record. 我使用PDO的主要原因是为了防止SQL注入与使用Active Record。

EDIT: NOT TO BE A SHILL but I wrote a post after the fact on how to integrate PDO in Codeigniter . 编辑： 不是一个人，但我写了一篇关于如何在Codeigniter中集成PDO的事实。 If anyone has feedback, I would be happy to hear. 如果有人有反馈，我会很高兴听到。

4 个解决方案

Well, there is a general answer for all the questions of this kind: 那么，对于这类问题，我们有一个通用的答案：

It's not a wand, it's a wizard. 它不是魔杖，而是巫师。

(dunno where did i get that saying, but it seems I'm only one using it, but most likely I misspelled it) （不知道我在哪里得到那个说法，但似乎我只有一个人使用它，但很可能我拼错了）

There is nothing good or bad in the technology itself. 技术本身没有任何好处或坏处。
Everything depends on the hands that using it. 一切都取决于使用它的手。

There is nothing insecure in mysql, if used properly. 如果使用得当，mysql中没有任何不安全因素。
PDO is not a magical aegis that covers your backss from all dangers by it's presence only. PDO并不是一个神奇的盾牌，它只能通过它的存在覆盖你所有的危险。

Every time i see lame talks of SQL injection, it's always about dynamic data only. 每当我看到SQL注入的蹩脚谈话时，它总是只关注动态数据。
While most danger comes from other query parts - say, dynamical identifiers. 虽然大多数危险来自其他查询部分 - 比如动态标识符。 Where PDO can do a little less than nothing to deal with them. PDO可以做的事情比没有什么可以处理它们。

So, there cannot be certain answer. 所以，没有一定的答案。
You can use whatever technology you like, as long as you understand what are you doing. 只要您了解自己在做什么，就可以使用自己喜欢的任何技术。
And contrary, if you don't understand how it works but just believe that some technology doing your job of protecting your app, you're already in trouble. 相反，如果您不了解它是如何工作的，但只是相信某些技术可以帮助您保护您的应用，那么您已经遇到了麻烦。

That's it. 而已。

According the the page you referenced, the Active Record class uses mysql_ functions for string-escaping. 根据您引用的页面，Active Record类使用mysql_函数进行字符串转义。 That means it's still building SQL strings up in PHP-land instead of using parametrized APIs into the database. 这意味着它仍然在PHP-land中构建SQL字符串，而不是在数据库中使用参数化API。 While it may be free of known defects right now, it is still a better idea to use an API that follows a more secure design. 虽然它现在可能没有已知缺陷，但使用遵循更安全设计的API仍然是一个更好的主意。

If you are already at a comfy point with your PDO library, there is no reason to stop using it in CI. 如果您已经在PDO库中处于舒适的位置，则没有理由停止在CI中使用它。 Active Record is great if you want to follow the CI patterns, but it is hardly a requirement in any sense. 如果您想要遵循CI模式，Active Record非常棒，但在任何意义上它都不是必需的。

Take a look at http://codeigniter.com/user_guide/database/queries.html 请查看http://codeigniter.com/user_guide/database/queries.html

The last section, Query Bindings, tells you that you can use query bindings, that are automatically escaped. 最后一节Query Bindings告诉您可以使用自动转义的查询绑定。

Although it's not really prepared statements, it's an effective simulation of same. 虽然它不是真正准备好的陈述，但它是一种有效的模拟。