从 mysql real escape 迁移到 PDO 以使其更加健壮?
让我们看一个真实的例子;下一个代码是我迄今为止在问题中使用的代码,但最近,由于索尼新闻等,我觉得我需要更多地了解这个主题“安全”。
所以这是我的代码,下面的这些函数是一个类的方法,但由于时间原因,我无法向您展示所有内容
连接到我的数据库
function SQLinit($debug = 0)
{
$svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
@mysql_select_db($sql["db_data"]);
if (!$svr_msconnect)
{
echo mysql_error();
exit;
}
}
调用查询的函数
function DoQuery($sql, $assoc=0)
{
if (!$svr_msconnect) SQLinit();
$result = mysql_query($sql, $svr_msconnect);
if (mysql_errno())
{
//error alert....
exit;
}
if ($result === TRUE) return array();
$res = array();
if ($assoc)
while ($row = mysql_fetch_assoc($result))
array_push($res, $row);
else
while ($row = mysql_fetch_row($result) )
array_push($res, $row);
return $res;
}
,然后简单用户身份验证的真实示例:
if(isset($_GET["e"]) && isset($_GET["p"])){
$e = $_GET["e"];
$p = $_GET["p"];
SQLinit();
$e = mysql_real_escape_string($e);
$p = mysql_real_escape_string($p);
$p = md5($p);
$sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
$result = DoQuery($sql,1);
}
所以基本上我的 $result 是一个包含我需要的值的数组(员工姓名,书名,等等......)
我的问题:
我不想在这里讨论 MD5或使用盐,但考虑到这已经是我的代码已实现,并且已经分布在 50 多个文件中,有没有办法将我的代码转换为 PDO 方法?
我必须说我对 PDO 方法一无所知,我只是看到了一些例子,但它们太理论化并且没有足够的背景......这里我有一个特定的背景来解决......
let's see a real example; the next code is what ive bene using so far and in ver ha da problem, but recently, due to Sony news etc, i feel i need ot learn more of this topic "security."
so this is my code, these functions below are methods of a class but for time reason i can't show you everything
Connection to my DB
function SQLinit($debug = 0)
{
$svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
@mysql_select_db($sql["db_data"]);
if (!$svr_msconnect)
{
echo mysql_error();
exit;
}
}
function to call queries
function DoQuery($sql, $assoc=0)
{
if (!$svr_msconnect) SQLinit();
$result = mysql_query($sql, $svr_msconnect);
if (mysql_errno())
{
//error alert....
exit;
}
if ($result === TRUE) return array();
$res = array();
if ($assoc)
while ($row = mysql_fetch_assoc($result))
array_push($res, $row);
else
while ($row = mysql_fetch_row($result) )
array_push($res, $row);
return $res;
}
and then a real EXAMPLE of simple user authentication:
if(isset($_GET["e"]) && isset($_GET["p"])){
$e = $_GET["e"];
$p = $_GET["p"];
SQLinit();
$e = mysql_real_escape_string($e);
$p = mysql_real_escape_string($p);
$p = md5($p);
$sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
$result = DoQuery($sql,1);
}
so basically my $result is an array with the value I need (employees names, book titles, whatever...)
my question:
I dont want to discuss here the MD5 or using a salt, but given this is my code already implemented, and is already spread in more than 50 files, there is a way to transform my code to a PDO approach?
I must say I don't know anything about PDO approach, i just saw some examples but they were too theory-y and not enough context...here i have a specific context to solve ...
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
PDO 允许准备好的语句,因此您的代码将如下所示:
有一个警告:如果查询日志有可能被其他人读取(例如在共享服务器上运行),您应该在发送密码之前先对密码进行哈希处理到 PDO,但任何使用 ' 或密码中转义的其他字符的人都需要重置,因为哈希值将不同。
有关获取模式魔法的更多信息,请参阅 http://www.php.net/manual /en/pdostatement.setfetchmode.php
PDO allows prepared statements, so your code would look something like this:
There's a caveat: If there is any chance the query log could be read by someone else (running on a shared server for example) you should hash the password first before sending it to PDO, but anyone who was using ' or another character that was escaped in their password will need to reset, because the hash will then be different.
For more about fetch mode magic, see http://www.php.net/manual/en/pdostatement.setfetchmode.php
首先,PHP 数据对象扩展只是一种用于访问和使用数据库。如果您想了解如何使用 PDO 库,请查看文档。不过,您可以在不使用 PHP 的 PDO 扩展的情况下创建安全的数据库实现。
您当前的实现还不错,但我绝对建议不要通过 URI 查询传递用户凭据(即使用 $_POST 而不是 $_GET 作为更敏感的参数)。
First of all, the PHP Data Objects Extension is simply a mechanism used to access and use databases. If you want to learn how to use the PDO library, check out the documentation. You can create a secure database implementation without the use of PHP's PDO extension, though.
Your current implementation isn't too bad, but I would definitely recommend NOT passing user credentials via URI query (ie. use $_POST instead of $_GET for your more sensitive parameters).