php 如何使用 PDO 清理输入?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4364686/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I sanitize input with PDO?
提问by Karem
回答by SW4
If you use PDO you can parametize your queries, removing the need to escape any included variables.
如果您使用 PDO,您可以参数化您的查询,无需转义任何包含的变量。
See herefor a great introductory tutorial for PDO.
有关PDO 的精彩介绍性教程,请参见此处。
Using PDO you can seperate the SQL and passed parameters using prepared statements, this removes the need to escape strings, as because the two are held seperately then combined at execution, the parameters are automatically handled as stings, from the above source:
使用 PDO,您可以使用准备好的语句将 SQL 和传递的参数分开,这消除了对字符串进行转义的需要,因为这两者是分开保存的,然后在执行时组合,参数会自动作为字符串处理,来自上述来源:
// where $dbh is your PDO connection
$stmt = $dbh->prepare("SELECT * FROM animals WHERE animal_id = :animal_id AND animal_name = :animal_name");
/*** bind the paramaters ***/
$stmt->bindParam(':animal_id', $animal_id, PDO::PARAM_INT);
$stmt->bindParam(':animal_name', $animal_name, PDO::PARAM_STR, 5);
/*** execute the prepared statement ***/
$stmt->execute();
Note: sanitization occurs during variable binding ($stmt->bindParam)
注意:清理发生在变量绑定 ( $stmt->bindParam)
Other resources:
其他资源:
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
http://www.phpeveryday.com/articles/PDO-Prepared-Statement-P550.html
回答by fluminis
The important point when using PDO is:
使用 PDO 时的重点是:
PDO will only sanitize it for SQL, not for your application.
PDO 只会为 SQL 清理它,而不是为您的应用程序清理它。
So yes, for writes, such as INSERT or UPDATE, it's especially critical to still filter your data first and sanitize it for other things (removal of HTML tags, JavaScript, etc).
所以是的,对于写入,例如 INSERT 或 UPDATE,仍然首先过滤您的数据并对其进行清理以用于其他事情(删除 HTML 标记、JavaScript 等)尤其重要。
<?php
$pdo = new PDO(...);
$stmt = $pdo->prepare('UPDATE users SET name = :name WHERE id = :id');
$id = filter_input(INPUT_GET, 'id', FILTER_SANITIZE_NUMBER_INT); // <-- filter your data first
$name = filter_input(INPUT_GET, 'name', FILTER_SANITIZE_STRING); // <-- filter your data first
$stmt->bindParam(':id', $id, PDO::PARAM_INT); // <-- Automatically sanitized for SQL by PDO
$stmt->bindParam(':name', $name, PDO::PARAM_STR); // <-- Automatically sanitized for SQL by PDO
$stmt->execute();
Without sanitizing the user input, a hacker could have saved some javascript into your database and then, when output it into your site you would have been exposed to a threat!
如果不清理用户输入,黑客可能已经将一些 javascript 保存到您的数据库中,然后,当将其输出到您的网站时,您就会受到威胁!
