我们如何知道 PDO 正在逃避 SQL 注入?

发布于 2024-10-10 13:09:07 字数 414 浏览 10 评论 0原文

我是 PDO 库的新手。我正在使用 mysql 作为数据库的开发环境。我可以在使用“?”时使用准备和执行函数来运行查询使用命名占位符(例如:“:column”)时的占位符和bindParam方法。

之后,我尝试看看 PDO 是否通过放入任何引号来清理查询,就像 mysql_real_escape_string 那样进行任何类型的转义。我试图查看查询会是​​什么样子,但我得到的只是已传递到准备语句中的语句,而不是要执行的查询。

我尝试 var_dump $result->execute() 和 $result->fetch() 但execute 语句为我提供了带有占位符的准备语句的sql,而fetch 语句为我提供了该查询的结果。

有没有办法查看将运行的查找查询,或者至少在运行查询之前查看参数的外观?

我希望我的问题很清楚。 :|

I am newbie with PDO libraries. I am working on development environment with mysql as my database. I am able to run through my queries using prepare and execute function while using "?" placeholder and also bindParam method while using named placeholders (ex: ":column").

After this I tried to see if PDO does any kind of escaping by putting in any quotes to sanitize the query like mysql_real_escape_string does. I am trying to see what would the query look but all I get is the statement that has been passed into the prepare statement, but not the query that would be executed.

I tried to var_dump the $result->execute(), and $result->fetch() but the execute statement gives me my prepare statement's sql with place holders while fetch statement gives me the result of that query.

Is there a way to look at the find query that would be run, or atleast how the parameters would look before running the query??

I hope I am clear with my question. :|

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

落日海湾 2024-10-17 13:09:07

当您编写如下内容时:

$stmt = $pdo->prepare('SELECT * FROM tbl_name WHERE col_name = :col_name;');
$stmt->bindValue('col_name', 'some \' value');
$stmt->execute();

实际查询是...SELECT * FROM tbl_name WHERE col_name = :col_name;。这就是所谓的“准备好的声明”。首先,将查询发送到数据库,然后发送查询参数。 PDO 不合并查询和参数。

您可能认为 PDOStatement::bindValue() 会执行以下操作:

public function bindValue($placeholer, $value, $valueType = PDO::PARAM_STR) {
    $this->query = str_replace($placeholder, $this->quote($value, $valueType), $this->query);
}

但它不会

它的作用更像是:

public function execute() {
    try {
        $this->sendQueryToDatabase($this->query);

        // Query is valid
        $this->sendParametersToDatabase($this->parameters);

        return $this->fetchResultSet();
    } catch (... $e) {
        // Query is invalid (eg. syntax error)
        throw ...;
    }
}

阅读有关准备好的语句的更多信息

When you write something like:

$stmt = $pdo->prepare('SELECT * FROM tbl_name WHERE col_name = :col_name;');
$stmt->bindValue('col_name', 'some \' value');
$stmt->execute();

The actual query is... SELECT * FROM tbl_name WHERE col_name = :col_name;. That's called prepared statement. Firstly, you send query to the database, later you send query parameters. PDO doesn't merge query and parameters.

You've probably thought that PDOStatement::bindValue() does something like:

public function bindValue($placeholer, $value, $valueType = PDO::PARAM_STR) {
    $this->query = str_replace($placeholder, $this->quote($value, $valueType), $this->query);
}

But it doesn't.

It does something more like that:

public function execute() {
    try {
        $this->sendQueryToDatabase($this->query);

        // Query is valid
        $this->sendParametersToDatabase($this->parameters);

        return $this->fetchResultSet();
    } catch (... $e) {
        // Query is invalid (eg. syntax error)
        throw ...;
    }
}

Read more about Prepared Statements

冷情妓 2024-10-17 13:09:07

说实话。

PDO 有 2 种运行准备语句的模式:

  1. 本机模式。查询和数据se-pa-ra-te-ly发送到数据库。这意味着数据永远不会添加到查询中。所以,不会造成任何伤害。曾经。查询按原样发送到数据库,带有 ? 标记(但没有命名占位符,这些占位符被 PDO 替换为 ?
  2. 兼容模式。 PDO 确实通过用依赖于变量名称的绑定变量替换占位符来进行旧式查询。字符串被引用/转义,其余的被转换为其类型。

这两种方法都是完全安全的。

当你有一个变量标识符时,真正的危险就开始了......

To put it straight.

PDO has 2 modes of running prepared statements:

  1. Native mode. Query and data being sent to the database se-pa-ra-te-ly. Which means that data never being added to the query. So, no harm could be done. Ever. The query being sent to the database as is, with ? marks (but no named placeholders which being replaced by PDO with ?s)
  2. Compatibility mode. PDO do make an old-style query, by substituting placeholders with binded variables depends on variable name. Strings being quoted/escaped, the rest being cast to it's type.

Both methods are perfectly safe.

The real danger begins when you have a variable identifier...

╰◇生如夏花灿烂 2024-10-17 13:09:07

准备语句由mysql处理,因此pdo不会转义请求,
pdo 发送请求和“之后”参数

the prepare statement is handle by mysql, so pdo don't escape the request,
pdo send the request and "after" the parameter

夜雨飘雪 2024-10-17 13:09:07

启用常规查询日志,并在运行简单语句时观察实际在服务器上执行的查询 - 执行一些插入,例如使用包含嵌入引号或 null 的字符串。

Enable the general query log, and watch the queries actually being executed against the server when you're running simple statements - do some inserts, for example, with strings containing embedded quotes or nuls.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文