使用 Magento 方法编写插入查询并小心 SQL 注入

发布于 2024-09-16 06:20:56 字数 542 浏览 7 评论 0原文

我正在使用 Magento 的功能来插入 &更新查询。我的要求是在执行这些类型的查询时要处理 SQL 注入。但我无法找到 Magento 是如何做到这一点的。我提供一个起始样本。请给我提供一个完整的例子。

<?php
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
$sql = "INSERT INTO Mage_Example (Name, Email, Company, Description, Status, Date)
    VALUES ('$name', '$email', '$company', '$desc', '0', NOW())";
?>

现在我想更改上面的查询以防止可能的 SQL 注入。我不想使用 PHP 默认的“mysql_real_escape_string()”内置函数。任何人都可以使用“$write”数据库处理程序为我提供一个有用的解决方案。

非常感谢任何帮助。

原文

I am using the Magento's functionality to insert & update queries. My requirement is that I want to take care of SQL Injection, when doing these types of queries. But I'm unable to find how Magento does this. I'm providing one start sample. Please provide me with one complete example.

<?php
$write = Mage::getSingleton("core/resource")->getConnection("core_write");
$sql = "INSERT INTO Mage_Example (Name, Email, Company, Description, Status, Date)
    VALUES ('$name', '$email', '$company', '$desc', '0', NOW())";
?>

Now I want to change the above query to prevent the possible SQL Injection. I don't want to use the default "mysql_real_escape_string()" built-in function of PHP. Can anybody please provide me with one useful solution, using the "$write" DB Handler.

Any help is greatly appreciated.

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

爱要勇敢去追 2024-09-23 06:20:56

好吧，稍微研究一下这个。如果您可以获得 DB_Adapter 的实例（我相信资源调用会返回），那么这应该不会太难。在内心深处，Magento 基于 Zend Framework，而 DB 适配器具体源自 Zend_Db_Adapter，这样你就可以免费使用这些方法。请参阅之前的链接以获取更多示例，但这里是文档中提供的语法，它应该自动转义您的输入：

$write = Mage::getSingleton("core/resource")->getConnection("core_write");

// Concatenated with . for readability
$query = "insert into mage_example "
       . "(name, email, company, description, status, date) values "
       . "(:name, :email, :company, :desc, 0, NOW())";

$binds = array(
    'name'    => "name' or 1=1",
    'email'   => "email",
    'company' => "company",
    'desc'    => "desc",
);
$write->query($query, $binds);

再次，请参阅文档以获取更多信息。

更新：

我更改了上面的示例。通过 core_write 请求返回的对象是一个 PDO 对象，它公开了一个 query 方法（见上文），该方法将允许您使用参数化查询。到目前为止，这是比尝试使用 mysql_real_escape_string 之类的数据清理更好的方法，并且我已经测试了上述代码的正确性。请注意，与大多数 MySQL 参数化查询相比，绑定是通过 :labels 完成的，而且您的变量不需要引号。

针对您的另一点，如下所述，在 Magento 中执行此操作的“正确”方法是根本不使用直接查询。 Magento 对象模型开发得很好，旨在将这种实现细节从您手中抽象出来，因为您不需要关心它。要“正确”地做到这一点，请创建一个新的基于数据库的模型并避免麻烦。

Okay, researched this one a little bit. If you can get an instance of a DB_Adapter (which I believe that resource call will return), this shouldn't be too tough. Deep down inside, Magento is based on Zend Framework, and the DB adapter specifically is descended from Zend_Db_Adapter, so you can use those methods for free. See the link before for more examples, but here's the syntax provided in the docs, which should escape your input automagically:

$write = Mage::getSingleton("core/resource")->getConnection("core_write");

// Concatenated with . for readability
$query = "insert into mage_example "
       . "(name, email, company, description, status, date) values "
       . "(:name, :email, :company, :desc, 0, NOW())";

$binds = array(
    'name'    => "name' or 1=1",
    'email'   => "email",
    'company' => "company",
    'desc'    => "desc",
);
$write->query($query, $binds);

Again, see the docs for more information.

UPDATE:

I've changed the example above. The object that you get back with your core_write request is a PDO object that exposes a query method (see above) that will let you used parameterized queries. This is BY FAR a better approach than attempting to use something like mysql_real_escape_string for data sanitization, and I've tested the above code for correctness. Note that, in contrast to most MySQL parameterized queries, the binding is done with :labels, and also that you need no quotes for your vars.

In response to your other point, and as noted below, the "right" way to do it in Magento is not to use direct queries at all. The Magento object models are well development and meant to abstract this kind of implementation detail away from you, because you shouldn't need to concern yourself with it. To do it "correctly", create a new database-based model and save the headache.

回复收藏 0 原文

萌面超妹 2024-09-23 06:20:56

我用它向表中插入多行

$table = Mage::getSingleton('core/resource')->getTableName('table_name');
$rows = array(
   array('cal_1'=>'value','cal_2'=>'value','cal_3'=>'value'),
   array('cal_1'=>'value','cal_2'=>'value','cal_3'=>'value')
);

public function insertRows($table,$rows)
{
   $write = Mage::getSingleton('core/resource')->getConnection('core_write');
   $write->insertMultiple($table,$rows);
}

I am using this for inserting multiple rows to the table

$table = Mage::getSingleton('core/resource')->getTableName('table_name');
$rows = array(
   array('cal_1'=>'value','cal_2'=>'value','cal_3'=>'value'),
   array('cal_1'=>'value','cal_2'=>'value','cal_3'=>'value')
);

public function insertRows($table,$rows)
{
   $write = Mage::getSingleton('core/resource')->getConnection('core_write');
   $write->insertMultiple($table,$rows);
}

回复收藏 0 原文

丶情人眼里出诗心の 2024-09-23 06:20:56

在资源文件中。

public function saveToTable($param){

$table = $this->getMainTable(); 

$this->_getWriteAdapter->insert($table,array(
          'col_1'=>$param['data1']
          'col_2'=>$param['data2']
          'col_3'=>$param['data3']
      ));
}

返回受影响的行数。

In resource file.

public function saveToTable($param){

$table = $this->getMainTable(); 

$this->_getWriteAdapter->insert($table,array(
          'col_1'=>$param['data1']
          'col_2'=>$param['data2']
          'col_3'=>$param['data3']
      ));
}

returns number of rows affected.

回复收藏 0 原文