Eloquent ORM(laravel 5) 是否负责 SQL 注入?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/41539095/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Does Eloquent ORM(laravel 5) take care of SQL injection?
提问by Dave2345
I couldn't find it online, but does Eloquent ORM take care of SQL injection like PDO prepared statements do?
我在网上找不到它,但是 Eloquent ORM 是否像 PDO 准备好的语句一样处理 SQL 注入?
回答by Bill Karwin
No framework "takes care of" SQL injection.
没有框架“处理”SQL 注入。
Youtake care of SQL injection.
您负责 SQL 注入。
A framework may provide methods of doing that conveniently, but you still have to use the methods consistently.
框架可能会提供方便的方法,但您仍然必须始终如一地使用这些方法。
For example, you should use query parameters instead of concatenating variables into your SQL expressions.
例如,您应该使用查询参数而不是将变量连接到 SQL 表达式中。
Re your comment:
回复您的评论:
Eloquent has methods like whereRaw()which allow you to write any expression you want. Here's an example from the Eloquent docs:
Eloquent 有类似的方法whereRaw(),可以让你编写任何你想要的表达式。这是Eloquent 文档中的一个示例:
$users = User::whereRaw('age > ? and votes = 100', [25])->get();
If you use this ?syntax for parameters, and pass the values as the array argument following, then yes, you can safely depend on Eloquent to use parameterization.
如果你?对参数使用这种语法,并将值作为数组参数传递,那么是的,你可以安全地依赖 Eloquent 来使用参数化。
But it's notaccurate to say "Eloquent takes care of SQL injection" because that leads some naive developers to think that you can do unsafe things like this:
但是说“Eloquent 负责 SQL 注入”并不准确,因为这会让一些天真的开发人员认为你可以做这样不安全的事情:
$users = User::whereRaw("age > {$_GET['age']} and votes = 100")->get();
And they mistakenly believe that Eloquent can magically fix it for you. This is not true.
他们错误地认为 Eloquent 可以神奇地为您修复它。这不是真的。
Every ORM provides safe ways of combining application variables into the query, but also provides ways developers can circumvent that. They have to provide those methods, because there are always parts of queries that cannot be parameterized.
每个 ORM 都提供了将应用程序变量组合到查询中的安全方法,但也提供了开发人员可以绕过的方法。他们必须提供这些方法,因为总是存在无法参数化的查询部分。
That's what I mean when I say it's up to you to use the ORM properly, and avoid unsafe code.
当我说正确使用 ORM 并避免不安全代码取决于您时,这就是我的意思。
回答by msonowal
As per your question all the eloquent queries are taken care of for SQL injection, because they use the PDO driver in core. So you don't have to worry, but the input are stored as they are so you might want to sanitize as per your application's needs (HTML formatting, etc.)
根据您的问题,所有雄辩的查询都针对 SQL 注入进行处理,因为它们在核心中使用 PDO 驱动程序。因此您不必担心,但输入会按原样存储,因此您可能希望根据应用程序的需要(HTML 格式等)进行清理
回答by Chris
Yes but the onus is still on you to validate the data coming in, and escape data coming out, as prepared statements are only part of the picture.
是的,但您仍然有责任验证传入的数据并转义传出的数据,因为准备好的语句只是图片的一部分。
As a side note - I don't think dependency injection means what you think it means. Laravel does dependency injection via its service container, but DI is actually a good thing (https://en.wikipedia.org/wiki/Dependency_injection)
作为旁注 - 我不认为依赖注入意味着你认为它意味着什么。Laravel 通过其服务容器进行依赖注入,但 DI 实际上是一件好事(https://en.wikipedia.org/wiki/Dependency_injection)
