为什么 PHP PDO 不保护我的查询免遭注入?
我仍在全面学习 PDO 的过程中,但是当我今天晚上检查它是否可以用于 SQL 注入 URL 参数时,我感到有点惊讶,令我惊讶的是,它确实有效。于是我开始思考;发布的值应该使用 PDO 准备好的语句自动清理,这意味着我的 SQL 查询一定有问题,对吗?
我有一个页面需要 GET 变量,以便使用该 ID 从数据库中收集相应的数据。我创建了一个函数,其中包括准备查询以及执行查询以简化编码过程。我现在编写的代码如下所示:
$request = $_GET['movie'];
$sql = "SELECT * FROM `movies` WHERE `url` = '$request'";
$db = new database;
$db->setDBC();
$process = $db->executeQuery($sql);
$cmd = $process->fetch(PDO::FETCH_NUM);
$title = $cmd[1];
我得到的 PDO 异常是:
致命错误:未捕获异常“PDOException”,消息为“SQLSTATE[42000]:语法错误或访问冲突:1064 您的 SQL 语法有错误;检查与您的 MySQL 服务器版本相对应的手册,了解在 C:\xampp\htdocs\filmvote\include\databaseClass.php:33 中第 1 行“21-31282 ''' 附近使用的正确语法”堆栈跟踪:# 0 C:\xampp\htdocs\filmvote\include\databaseClass.php(33): PDOStatement->execute() #1 C:\xampp\htdocs\filmvote\recension.php(9):databaseManagement->executeQuery('SELECT * FROM `...') #2 {main} 抛出在 C:\xampp\htdocs\filmvote\include\ 中databaseClass.php 第 33 行
在 URL 中添加 ' 或 1-1
时会出现此类错误。对此我能做什么?真的很感谢您的帮助。
I'm still in the progress of learning PDO fully, but I was kind of surprised when I checked this evening if it worked to SQL Inject the URL parameter, and to my surprise, it did work. So I started thinking; the posted values are supposed to be sanitized automatically using PDO - prepared statements, which means there must be something wrong with my SQL query, am I right?
I'm having a page that needs a GET variable in order to gather corresponding data from my database with that ID. I have created a function that includes preparing the query, and as well as executing it to simplify the coding process. The code I have written now looks like:
$request = $_GET['movie'];
$sql = "SELECT * FROM `movies` WHERE `url` = '$request'";
$db = new database;
$db->setDBC();
$process = $db->executeQuery($sql);
$cmd = $process->fetch(PDO::FETCH_NUM);
$title = $cmd[1];
And the PDO Exception I get is:
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''21-31282 ''' at line 1' in C:\xampp\htdocs\filmvote\include\databaseClass.php:33 Stack trace: #0 C:\xampp\htdocs\filmvote\include\databaseClass.php(33): PDOStatement->execute() #1 C:\xampp\htdocs\filmvote\recension.php(9): databaseManagement->executeQuery('SELECT * FROM `...') #2 {main} thrown in C:\xampp\htdocs\filmvote\include\databaseClass.php on line 33
You get this kind of error when adding ' or 1-1
to the URL. What can I do about this? Really grateful for help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不。只有当您像这样使用实际的准备好的语句时:
您插入的值才会被自动清理,并且您的查询将受到 SQL 注入的保护。
否则,您的 SQL 查询将像任何旧的
mysql_query()
一样执行,并且容易受到攻击。 PDO 无法接受查询然后自动清理易受攻击的部分。那是不可能的。Nope. Only if you use actual prepared statements like so:
will your the values you insert be automatically sanitized, and your query protected from SQL injection.
Otherwise, your SQL query will be executed like any old
mysql_query()
, and is vulnerable. PDO can not take a query and then automatically sanitize the vulnerable parts. That's not possible.尝试准备好的语句:
Try prepared statements: