PDO 准备语句:我们需要逃逸吗?
public function receiveDomainNames($keyword)
{
try
{
$stmt = $this->_dbh->prepare("SELECT d.someField FROM domain d WHERE d.someField LIKE :keyword");
$someField = '%'.$keyword.'%';
在这种情况下我们需要转义$keyword吗?
在php手册上我们可以读到:
如果应用程序专门使用准备好的语句,则开发人员可以 确保不会发生 SQL 注入 发生(但是,如果其他部分 查询正在建立 未转义的输入,SQL注入是 仍然有可能)。
您认为是这种情况吗?在这种情况下,是否建立了未转义的输入(没有对我们的 $keyword 参数进行事先处理)?
提前致谢, MEM
public function receiveDomainNames($keyword)
{
try
{
$stmt = $this->_dbh->prepare("SELECT d.someField FROM domain d WHERE d.someField LIKE :keyword");
$someField = '%'.$keyword.'%';
Do we need to escape $keyword on this case?
On php manual we can read:
If an application exclusively uses prepared statements, the developer can
be sure that no SQL injection will
occur (however, if other portions of
the query are being built up with
unescaped input, SQL injection is
still possible).
Is this the case on your opinion, are, on this case, build up unescaped input (no prior treatment has been made to our $keyword parameter) ?
Thanks in advance,
MEM
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
鉴于上述 SQL 语句,我认为 SQL 注入没有合理的可能性。
关于“其他部分”的警告将是一个 SQL 查询,如下所示:
该示例是其含义的最坏情况/明确示例,天真的有人可能会认为,因为他们逃避了 where 参数,所以一切都是安全的。
对于上面的示例,没有未转义的输入,因此您是安全的。
Given the above SQL statement, I see no rational possibility of a SQL injection.
What the warning about "other parts" would be a SQL query like:
The example is a worst case/explicit example of what they mean, that naively someone might think since they're escaping the where argument, that everything is safe.
With your example above, there is no un-escaped input so you're safe.
我认为您创建的变量不必转义,因为您知道它们在做什么。
仅转义从用户获取的内容,例如 $_COOKIE、$_POST、$_GET 和其他参数(例如 URL)。
I'd figure variables you create shouldn't have to be escaped because you know what they're doing.
Only escape content gotten from the user, such as $_COOKIE, $_POST, $_GET and other parameters such as the URL.