簡體   English   中英

通過$ _POST數組循環的PDO插入語句

[英]PDO insert statement with loop through $_POST array

如何在$ _POST表單名稱等於數據庫列名稱的$ _POST數組中循環,並從MySQL注入安全地做到這一點?

我將有大約40個輸入的表格。

例如,我有html格式( index.php ):

<form action="form.php" id="myForm" method="POST" enctype="multipart/form-data">

User: <input type="text" name="owner_name"><br>
User-email: <input type="text" name="owner_email"><br>
User-id: <input type="text" name="owner_id"><br>
Pictures: <br><input name="pictures[]" type="file" size="50" maxlength="100000" multiple><br>
<input type="submit" value="Send" />
</form>

而且我有form.php文件:

$pdo = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);

// Check connection
if ($pdo->connect_error) {
    die("Connection failed: " . $pdo->connect_error);
}

$statement = $pdo->prepare("INSERT INTO claims_motor(owner_email, owner_name, owner_id)
    VALUES(:owner_email, :owner_name, :owner_id)");
$statement->execute(array(
    "owner_email" => $_POST['owner_email'],
    "owner_name" => $_POST['owner_name'],
    "owner_id" => $_POST['owner_id']
));

如何為$ _POST建立一個foreach循環,所以我不需要為40個$ _POST變量編寫此代碼?

正如其他人所指出的那樣,惡意用戶仍然有可能編輯DOM中的字段名稱,但這表示可能感興趣。

$sql='insert into `claims_motor` (`'.implode( '`,`', array_keys( $_POST ) ) .'`) values (:'.implode(',:',array_keys( $_POST ) ).');';
foreach( $_POST as $field => $value ) $params[":{$field}"]=$value;

$statement = $pdo->prepare( $sql );
$statement->execute( $params );

為了回答有關從輸入數據中刪除虛假html的問題,您可以嘗試以下方法:

$options=array( 'flags'=>FILTER_FLAG_NO_ENCODE_QUOTES | FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH | FILTER_FLAG_ENCODE_LOW | FILTER_FLAG_ENCODE_HIGH | FILTER_FLAG_ENCODE_AMP );

function filterfield( $field ){
    global $options;
    return ":".strip_tags( filter_var( $field, FILTER_SANITIZE_STRING, $options ) );
}
function filtervalue( $field ){
    global $options;
    return strip_tags( filter_input( INPUT_POST, $field,  FILTER_SANITIZE_STRING, $options ) );
}
function isfield( &$field, $key, $fields ){
    $field=in_array( $field, $fields ) ? $field : false;
}

$sql='insert into `claims_motor` (`'.implode( '`,`', array_keys( $_POST ) ) .'`) values (:'.implode(',:',array_keys( $_POST ) ).');';
foreach( $_POST as $field => $value ) $params[ filterfield( $field ) ]=filtervalue( $field );

我並不是說這是一個完美的解決方案,但它或多或少地回答了您的原始問題。 您可以在此處找到有關過濾器的更多信息

我使用PDO嘗試了此操作,並在值中包含了DROP語句,這樣就可以了-將其作為字符串數據插入。 當我嘗試修改字段名稱時,它導致PDOException並沒有執行其他操作。

要按照您的建議獲取列名,可以嘗試:-

$sql="select group_concat(`column_name`) as 'cols' 
        from `information_schema`.`columns` 
        where `table_schema`=database() and `table_name`=:table;";

$params=array(':table' => 'claims_motor');
$statement = $pdo->prepare( $sql );
$statement->execute( $params );

/* Process the recordset */
$cols=$rs->cols; /* or whatever method to access the record */


/* Filter fields that were not in form - if any */
$cols=explode( ',', $cols );
array_walk( $cols, 'isfield', array_keys( $_POST ) );
$fields = array_filter( $cols );

/* Prepare sql for the insert statment */
$sql_insert='insert into `claims_motor` (`'.implode( '`,`', $fields ) .'`) values (:'.implode( ',:', $fields ).');';

/* reset params array */
$params=array();

/* Construct new array of bound variables / params */
foreach( $_POST as $field => $value ) $params[ filterfield( $field ) ]=filtervalue( $field );

/* add the data to db */
$statement = $pdo->prepare( $sql );
$statement->execute( $params );

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM