学说和 SQL 注入
Doctrine 会自动防止 SQL 注入吗?
下面的代码安全吗?
$user = new Model_User();
$user->name = $_POST['username'];
$user->save();
Does Doctrine automatically prevent SQL injection?
Is the following code secure?
$user = new Model_User();
$user->name = $_POST['username'];
$user->save();
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
就SQL注入而言我认为不会有问题。但是您可能还想确保用户名的格式正确(例如可以是
As far as SQL injection is concerned I think there will be no problem. But you might want to make sure as well that the username is well formed (could for instance be
<script>//do somthing bad</script>
and that script would for instance be executed when you output that user name somewhere on the site)只要您使用 绑定参数 (Doctrine 将在幕后使用这些参数,所以你的示例很好),但是你不应该在没有先清理客户端输入的情况下使用它。查看 PHP 的 Filter 库 - 特别是清理示例。在您的情况下,您至少需要使用 FILTER_SANITIZE_STRING“剥离标签,可选择剥离或编码特殊字符”来验证名称是否为字符串。
You'll be safe from SQL injection with Doctrine (and any other PDO-based database library) as long as you use bound parameters (Doctrine will be using these under the hood so your example is fine), but you shouldn't ever use input from a client without sanitizing it first. Take a look at PHP's Filter library - in particular the sanitization example. In your case, you'd want to at least validate that the name is a string using FILTER_SANITIZE_STRING "Strip tags, optionally strip or encode special characters.".