Laravel Eloquent:SQL 注入预防是自动完成的吗?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/51126162/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Laravel Eloquent: is SQL injection prevention done automatically?
提问by Zirou Qiu
Given the example code (Messageis an Eloquent model.):
给出示例代码(Message是 Eloquent 模型。):
public function submit(Request $request){
$this->validate($request, [
'name' => "required",
"email" => "required"
]);
//database connection
$message = new Message;
$message->name = $request->input("name");
$message->email = $request->input("email");
$message->save();
}
Does Eloquent use parameterized queries (like PDO) or any other mechanisms to prevent SQL injection?
Eloquent 是否使用参数化查询(如 PDO)或任何其他机制来防止 SQL 注入?
回答by elixenide
Yes, but...
对,但是...
Yes, it does SQL injectionprevention when you rely on the built-in ORM functionality, like $someModelInstance->save(). From the docs:
是的,它的SQL注入预防,当你依靠内置的ORM功能,比如$someModelInstance->save()。从文档:
Laravel's database query builder provides a convenient, fluent interface to creating and running database queries. It can be used to perform most database operations in your application and works on all supported database systems.
The Laravel query builder uses PDO parameter binding to protect your application against SQL injection attacks. There is no need to clean strings being passed as bindings.
Laravel 的数据库查询构建器提供了一个方便、流畅的界面来创建和运行数据库查询。它可用于在您的应用程序中执行大多数数据库操作,并适用于所有支持的数据库系统。
Laravel 查询构建器使用 PDO 参数绑定来保护您的应用程序免受 SQL 注入攻击。无需清理作为绑定传递的字符串。
Please note that you are notautomatically protected if you build raw SQL statements and execute those or use raw expressions. More from the docs:
请注意,如果您构建原始 SQL 语句并执行这些语句或使用原始表达式,则不会自动受到保护。更多来自文档:
Raw statements will be injected into the query as strings, so you should be extremely careful to not create SQL injection vulnerabilities.
原始语句将作为字符串注入到查询中,因此您应该非常小心,不要创建 SQL 注入漏洞。
You should always use parameterized queries when building raw SQL statements or expressions. See the last link above (and other parts of the docs, as wel) for information on how to do that in Laravel/Eloquent.
在构建原始 SQL 语句或表达式时,您应该始终使用参数化查询。有关如何在 Laravel/Eloquent 中执行此操作的信息,请参阅上面的最后一个链接(以及文档的其他部分)。
