从 mysql real escape 迁移到 PDO 以使其更加健壮?

发布于 2024-11-05 11:45:54 字数 1795 浏览 2 评论 0原文

让我们看一个真实的例子;下一个代码是我迄今为止在问题中使用的代码,但最近,由于索尼新闻等,我觉得我需要更多地了解这个主题“安全”。

所以这是我的代码,下面的这些函数是一个类的方法,但由于时间原因,我无法向您展示所有内容

连接到我的数据库

   function SQLinit($debug = 0)
   {
         $svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
         @mysql_select_db($sql["db_data"]);
         if (!$svr_msconnect)
         {
           echo mysql_error();
           exit;
         }
   }

调用查询的函数

   function DoQuery($sql, $assoc=0)
   {
        if (!$svr_msconnect) SQLinit();

        $result = mysql_query($sql, $svr_msconnect);

        if (mysql_errno())
        {
            //error alert....
            exit;
        }

        if ($result === TRUE) return array();        
        $res = array();

        if ($assoc)
            while ($row = mysql_fetch_assoc($result))
                array_push($res, $row);
        else
            while ($row = mysql_fetch_row($result)  ) 
                array_push($res, $row);

        return $res;
   } 

,然后简单用户身份验证的真实示例

     if(isset($_GET["e"]) && isset($_GET["p"])){

         $e = $_GET["e"];
         $p = $_GET["p"];       

         SQLinit();

         $e = mysql_real_escape_string($e);
         $p = mysql_real_escape_string($p);
         $p = md5($p);

        $sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
        $result = DoQuery($sql,1);
    }

所以基本上我的 $result 是一个包含我需要的值的数组(员工姓名,书名,等等......)

我的问题:

我不想在这里讨论 MD5或使用盐,但考虑到这已经是我的代码已实现,并且已经分布在 50 多个文件中,有没有办法将我的代码转换为 PDO 方法?

我必须说我对 PDO 方法一无所知,我只是看到了一些例子,但它们太理论化并且没有足够的背景......这里我有一个特定的背景来解决......

let's see a real example; the next code is what ive bene using so far and in ver ha da problem, but recently, due to Sony news etc, i feel i need ot learn more of this topic "security."

so this is my code, these functions below are methods of a class but for time reason i can't show you everything

Connection to my DB

   function SQLinit($debug = 0)
   {
         $svr_msconnect = @mysql_connect($sql["db_host"], $sql["db_login"], $sql["db_pass"]);
         @mysql_select_db($sql["db_data"]);
         if (!$svr_msconnect)
         {
           echo mysql_error();
           exit;
         }
   }

function to call queries

   function DoQuery($sql, $assoc=0)
   {
        if (!$svr_msconnect) SQLinit();

        $result = mysql_query($sql, $svr_msconnect);

        if (mysql_errno())
        {
            //error alert....
            exit;
        }

        if ($result === TRUE) return array();        
        $res = array();

        if ($assoc)
            while ($row = mysql_fetch_assoc($result))
                array_push($res, $row);
        else
            while ($row = mysql_fetch_row($result)  ) 
                array_push($res, $row);

        return $res;
   } 

and then a real EXAMPLE of simple user authentication:

     if(isset($_GET["e"]) && isset($_GET["p"])){

         $e = $_GET["e"];
         $p = $_GET["p"];       

         SQLinit();

         $e = mysql_real_escape_string($e);
         $p = mysql_real_escape_string($p);
         $p = md5($p);

        $sql = "SELECT user_id,user_email,user_pass FROM user_tb where user_email='$e' AND user_pass= '$p' ";
        $result = DoQuery($sql,1);
    }

so basically my $result is an array with the value I need (employees names, book titles, whatever...)

my question:

I dont want to discuss here the MD5 or using a salt, but given this is my code already implemented, and is already spread in more than 50 files, there is a way to transform my code to a PDO approach?

I must say I don't know anything about PDO approach, i just saw some examples but they were too theory-y and not enough context...here i have a specific context to solve ...

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

只是我以为 2024-11-12 11:45:54

PDO 允许准备好的语句,因此您的代码将如下所示:

$pdo = new PDO( ... params ... );
$stmt = $pdo->prepare("SELECT user_id,user_email,user_pass FROM user_tb where user_email = ? AND user_pass = MD5( ? ) ");

// If you have a User class, you can load it 
// otherwise you get an array
$stmt->setFetchMode(PDO_FETCH_CLASS, 'User');

$stmt->execute(array($_POST["e"], $_POST["p"]));
$user = $stmt->fetch();

有一个警告:如果查询日志有可能被其他人读取(例如在共享服务器上运行),您应该在发送密码之前先对密码进行哈希处理到 PDO,但任何使用 ' 或密码中转义的其他字符的人都需要重置,因为哈希值将不同。

有关获取模式魔法的更多信息,请参阅 http://www.php.net/manual /en/pdostatement.setfetchmode.php

PDO allows prepared statements, so your code would look something like this:

$pdo = new PDO( ... params ... );
$stmt = $pdo->prepare("SELECT user_id,user_email,user_pass FROM user_tb where user_email = ? AND user_pass = MD5( ? ) ");

// If you have a User class, you can load it 
// otherwise you get an array
$stmt->setFetchMode(PDO_FETCH_CLASS, 'User');

$stmt->execute(array($_POST["e"], $_POST["p"]));
$user = $stmt->fetch();

There's a caveat: If there is any chance the query log could be read by someone else (running on a shared server for example) you should hash the password first before sending it to PDO, but anyone who was using ' or another character that was escaped in their password will need to reset, because the hash will then be different.

For more about fetch mode magic, see http://www.php.net/manual/en/pdostatement.setfetchmode.php

沉默的熊 2024-11-12 11:45:54

首先,PHP 数据对象扩展只是一种用于访问和使用数据库。如果您想了解如何使用 PDO 库,请查看文档。不过,您可以在不使用 PHP 的 PDO 扩展的情况下创建安全的数据库实现。

您当前的实现还不错,但我绝对建议不要通过 URI 查询传递用户凭据(即使用 $_POST 而不是 $_GET 作为更敏感的参数)。

First of all, the PHP Data Objects Extension is simply a mechanism used to access and use databases. If you want to learn how to use the PDO library, check out the documentation. You can create a secure database implementation without the use of PHP's PDO extension, though.

Your current implementation isn't too bad, but I would definitely recommend NOT passing user credentials via URI query (ie. use $_POST instead of $_GET for your more sensitive parameters).

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文